Closed Bug 46400 Opened 23 years ago Closed 4 years ago
Netscape servers contacted for panel options
Split-off from bug 37877. ------- Additional Comments From Ben Bucksch 2000-07-07 19:25 ------- [...] I seem to be fed by a Netscape server with panel opens (not just panel contents). My custom, direct from cvs Mozilla build shows as panel options: What's Related Search Bookmarks Lieblinge [(extremely bad translation of "Favorites" into German)] ConSors Discount-Broker DAB Online Brokerage eBay Germany investorworld lastminute.com TicketOnline My Netscape Network Gesamtes Netzwerk International I get not hit searching for "consors" on our CVS rep, so this data must be fetched from the net. The localized content suggests an embedding in the Netscape Network. So, this bug got security-relevant. Please, I am here to work. I don't want to be snooped, nor distracted by commercial stuff. If you need to test network-fetched content, - provide an option to disable it - set up test cases on mozilla.org servers, not Netscape servers *before* you check it into the tree and enable it. ------- Additional Comments From Ben Bucksch 2000-07-07 19:26 ------- BTW: I wrote this *after* I took a deep breath :). ------- Additional Comments From email@example.com 2000-07-25 10:41 ------- [...] We should consider what might need to be done from a privacy standpoint for PR3. The panel list should only be requested when you try to customize, and if you don't have any netscape-hosted panels there shouldn't ever be a request to netscape.com for anything. If you think the sidebar is pinging netscape.com when all you have is mozilla.org panels then we've got a problem I'm interested in but it should be filed as a separate bug. Assign that to me for now if you like since I'm the manager of some privacy-related stuff like cookies.
CC'ing various others who might be interested, and nominating for nsbeta3, at least we should look and see what's really going on. We don't need another SmartDownload. Contacting Netscape for the panel list when you customize is certainly reasonable (and hopefully the customization service is a pref setting that could be pointed elsewhere), but if you had no netscape.com panels in your sidebar we shouldn't ever ping netscape.com What about the default panels like "What's Related"? Is it "obvious" they're there and that they need to contact Netcenter to do what they do, or is it another potential PR disaster?
No longer blocks: 44845
I may have stomped on changes from Ben. The collision detector said the "blocks" field was all he changed and it seemed easier to just add that than redo all my edits. Sorry if you also made other changes (and if you did we should file a bug on bugzilla's collision detector).
What an irony: <quote src="http://home.netscape.com/browsers/6/su_setup.html"> My Sidebar is yours </quote>
reassigning to morse to check the privacy implications since he is doing similar work already. This is an investigatory meta bug, the "+" is not authorizing code changes, and this bug itself can be closed when the investigation is complete (spawning new bugs if any changes are necessary).
(didn't actually reassign, oops)
Assignee: dveditz → morse
I'm not completely understanding something here. Are you saying that merely bringing up the sidebar but not clicking on any of its contents will cause a ping to netcenter? Using a sniffer I'm not seeing that at all. Or do I have to click on some content in the sidebar to effect the ping? If so, which one?
Target Milestone: M18 → ---
I don't know, that's why it needs investigating :-) Who does it ping and when? If the sidebar's closed it'd better be nobody. If the sidebar is open (as it is by default) does it ping netscape? When tabs are loaded does it ping netscape? When you select a non-Netscape tab does it ping Netscape? This needs to be tested in a commercial build moreso than in Mozilla.
You have to "Customize" or "Add" panels.
To be clear: Some of the contents you see in the customize dialog (i.e. the available panels) are fetched from Netscape servers. > this bug itself can be closed when the investigation is complete Please please this bug open as tracking bug until the issue raised here are resolved.
I have no problem with Mozilla hitting netscape servers when you choose customize. Netscape is providing a sidebar service and so far no one else is. There is a pref to change sidebar servers once there is an alternative, so maybe what you want instead is to create a different bug saying 1) mozilla.org should provide a sidebar service, and 2) the pref should be changed to that by default. The privacy issue is if we're hitting the sidebar (or other Netscape) server at times other than when a user makes an explicit action that they can reasonably expect is getting data from the net.
Daniel, I certainly do *not* expect the browser to hit the net, if I choose "Customize Sidebar". 1. I want an option to turn off all hits to the net. 2. I want Mozilla to never hit Netscape servers unless I explicitly say "go to Netscape" (e.g. through urlbar or links). If mozilla.org doesn't provide a sidebar service, then turn it off by default.
In answer to the questions raised, here is the pinging when using the sidebar in the commercial product: Bring up sidepanel itself does not cause any pings. By default the CNN tab is opened. That causes some pings to netcenter to get the content. Similarly when you open the stocks tab. Opening the buddylist tab or search tab does not do any pinging (signing on to the buddy list or using the search will do pinging as expected). Similarly opening the what's-related tab on a blank screen does not do any pinging.
When "customize sidebar" is selected, there are several pings to netscape to get information on what panels are available.
Now for mozilla product. By default the bookmark tab comes up open. Bringing up the sidebar panel and the resulting open bookmark panel does not cause any pinging. Customize sidebar does ping netcenter, just as was done in the commercial product, because netcenter is currently the only provider of customized content.
Setting the nsbeta3- to get off the beta3 radar.
Whiteboard: nsbeta3+ → nsbeta3-
> Customize sidebar does ping netcenter Yes, this is the bug. requesting fix for ASAP.
Thanks, Steve, for looking into this. Resetting to [nsbeta3-], which means only that it isn't important for Netscape to fix this before the *Netscape* beta. If you find a non-netscape person to do it feel free to reassign. Reassigning to slamm to change the pref in Mozilla to some non-Netscape sidebar server should one ever be created. Created bug 49367 (set up a mozilla.org sidebar server) as a blocker of this one.
Assignee: morse → slamm
Status: ASSIGNED → NEW
Depends on: 49367
Summary: [PRIVACY] Netscape servers contacted for panel options → Netscape servers contacted for panel options
> which means only that it isn't important for Netscape > to fix this before the *Netscape* beta. Netscape beta is irrelevant. In fact, this bug is irrelevant for *any* NS product. This is a Mozilla bug. > If you find a non-netscape person to do it feel free to reassign. Why should non-Netscape people clean the dirt of Netscape employees? BTW: Should be pretty easy to fix for somebody who knows the relevant line.
Exactly, this is not relevant for Netscape's release, the nsbeta3- is telling Steve it ranks lower in priority than his nsbeta3+ bugs. Since he is a Netscape employee that makes a lot of sense, don't you think? Ben, it turns out lots of non-Netscape mozilla developers think Netscape's sidebar service is useful, at least the ones who use the sidebar. If you don't use the sidebar then what does it matter what happens if you customize it? I doubt "Netscape" gives a fig whether Mozilla points at the netscape server. If the mozilla community would rather set up their own server or even have the feature go dark then go for it. But you are the only person I've heard complain about this. Netscape obviously isn't going to spend effort creating a second alternate sidebar service ("why are you spending time doing X when you could be fixing the browser faster instead?" is a constant complaint), *you* aren't offering to create one, *no* one has shown any interest in creating one. So you'd rather we just turn the thing off? I'm sure mozilla.org folks would be happy to turn the pref off if you can demonstrate that a majority of mozilla developers want it turned off. Maybe you can lobby someone on IRC to start a discussion at the mozilla conference here on 8/18 (tomorrow), or start one in a newsgroup.
If I'm alone with this opinion, I will mark this WONTFIX and shut up. Would still be nice, if somebody could tell me how I can prevent my local Mozilla to contact Netscape servers.
That's easy (and easy to find in lxr), change the "sidebar.customize.all_panels.url" pref in all.js Don't know what would happen if you set that to nothing, might be safer to point at a valid, if empty, all-panels.rdf file locally using a resource: URL. Also don't know if the code would choke if it couldn't find the %LOCALE% or %SIDEBAR_VERSION% tokens to replace, but those would presumably be bugs if it couldn't.
> (and easy to find in lxr) Not if you don't know what to search for. > change the "sidebar.customize.all_panels.url" pref in all.js Thanks. > Don't know what would happen if you set that to nothing Nothing, i.e. only local panels are listed, just what I want. Taking bug, easy to fix. (Assuming it won't be WONTFIX.)
Assignee: slamm → mozilla
I'm tempted to just remove the dynamic listing from Mozilla completely (i.e. set the pref to null). Mozilla ships with some local panels, which will still be listed, and others can be added via links (see tinderbox). Engineers working on this can set their prefs to point to Netscape servers.
The only problem that I have with this is that we are loosing the ability to easily test Mozilla's ability to download rdf off the net from the sidebar. Quality is Job One. Ben, are you offering to host another default RDF datasource for testing?
I've thought about this a little more. I really want to see testing for the networking in place. How about a dialog that pops up that asks you if you want to download the rdf with a button that asks if you ever want to be asked again? That sounds like a reasonable comprimise that lets users choose their own level of security and still allows testing. Ben, does that sound reasonable?
> we are loosing the ability to > easily test Mozilla's ability to download rdf off the net from the sidebar Netscape engineers/Qa propably uses Netscape builds anyway, and they can have the pref enabled. Even if not, they can enabled it in their default pref. I sincerely doubt that individuals working on/testing Mozilla will want to test this feature. It is mostly an ad space (just like Netscape's default bookmarks) IMO. > How about a dialog that pops up that asks you if you want > to download the rdf with a button that asks if you ever want to be asked > again? Sounds good, any volunters? Until we have that, I'd like to disable it. Don't make network queries without my explicit request.
CC'ing Brendan to get Mr. Mozilla's perspective While I would much rather have a non-commercial sidebar server than Netscape's in the mozilla build, it would be *extremely* presumptious of you to unilaterally turn off this feature entirely without feedback from the mozilla community and mozilla.org staff. There are people--non-Netscape people--who *like* this feature, and the repository at sidebar.netscape.com is a pretty big one full of interesting stuff (Slashdot, Segfault, Hacker News Network, Perl News, BetaNews.com, and of course commercial sites like CNN and Wired). This discussion needs to move out of the dark corners of this bug and into a newsgroup before any change is made. If you had an alternate sidebar server that'd be one thing, but if the choice is between Netscape's server and nothing then the people who want nothing can just not click on the customize button. Or put the pref discussed above in their prefs.js
I think we should definitely change how this works. First, let me say that I do use some of the sidebars that download from netscape, namely CNN and a few other news sites. I think the problem here though is that it is not obvious that clicking on customize sidebar is going to contact some server on the internet. I think that until we have a mozilla.org sidebar server the netscape sidebars should be available. But, you should have to click a button that says "Download additional sidebar panels from Netscape" in the Customize Sidebar UI. It shouldn't just automatically do it. This could cause major PR problems. If you don't believe me just look at the recent AOL/NS SmartDownload fiasco.
Someone want to come up with a patch that does what David proposes, and confirms that the user wants to download additional sidebar panels? Until then, I see no reason to change things. It would be foolish to remove all panels until a mozilla.org server is set up. Sidebar would rust, bugs would not be found, etc. /be
> it would be *extremely* presumptious of you to unilaterally turn off this > feature entirely without feedback from the mozilla community and mozilla.org > staff. This wasn't my intention. > and the repository at sidebar.netscape.com is a pretty big > one full of interesting stuff (Slashdot, Segfault, Hacker News Network, Perl > News, BetaNews.com, and of course commercial sites like CNN and Wired). Interesting. I see *none* of these. See the inital descriptiobn for the complete list I saw. > then the people who want nothing can just not click on the customize button No, this is not an option. I must be able to explore Mozilla without being scared that it does something I don't want it to do. Anyway, how do I *remove* "What's related" from the fly-out-list, if not via "Customize Sidebar"? > It would be foolish to remove all panels until a mozilla.org server is set up. > Sidebar would rust, bugs would not be found, etc. Mozilla *ships* with some panels. IMO, this feature doesn't fit into the free Internet world, which is distributed. This feature is AOL(-AIM)-like, where a central server provides (nearly) all available options - control by a single company. I don't see evidance that the user can specify more than one panel list provider. Also, there is no UI to change the server. IMO, shipping with some integrated panels and giving the option to add more via links on the websites which provide the panels is just fine. I agree that this should be discussed on a newsgroup first. Which one?
This bug does not depend on bug 47778. I have an empty string as sidebar provider url, and never got such an error msg (which is correct). Removing dependency.
No longer blocks: 47778
asa, I think this is that sidebar panels load from netscape site bug we were looking for...
Marking blocking bug 37877 [yes it's not a clean block, but it could be argued that it might regress and reopen that unless it is fixed]. endico: weren't we going to have a directory on dmoz or something?
timeless, if anything, the depedancy is the other way around. If there is no Netscape content in the sidebar, the sidebar won't query netscape.com anymore. Removing depending bug.
No longer blocks: 37877
Changing personal priorities. Giving away most of my bugs :-( (reassigning to default owner). I will still track these bugs closely. If you need my input, feel free to ask me. New owner: Please do *not* close these bugs (as WONTFIX or whatever you may find) unless they are fixed. Rather, reassign to <firstname.lastname@example.org>, if you don't want to work on them.
Assignee: mozilla → matt
Status: ASSIGNED → NEW
spam : changing qa to sujay (New Sidebar QA)
QA Contact: shrir → sujay
Assignee: matt → nobody
Target Milestone: --- → Future
Hi Ben, you are NOT the only one bothered by this. If not for privacy reasons (which I consider not so grave in this case) then for PR reasons: It may make a scandal that Mozilla phones home to Netscape (by the way: why does Mozilla try to act as a SERVER directly after the installation?). I would prefer if this contacting Netscape could be switched off somewhere in the settings (and maybe be switched off as a default in Mozilla, since it is not Netscape). By the way: I do use the sidebar - but for bookmarks only - so, why should Netscape be contacted when I configure the sidebar? Regards Andreas
Has this been fixed in later edits to the file? Is this still an issue? If so, please update this bug.
Priority: P3 → --
Target Milestone: Future → ---
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.