Closed Bug 585535 Opened 14 years ago Closed 10 days ago

Provide ability to access Google Safe Browsing Advisory for a malware site via the blocked site overlay

Categories

(Camino Graveyard :: Security, defect)

1.9.2 Branch
All
macOS
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: alqahira, Unassigned)

References

()

Details

(Whiteboard: l10n)

Attachments

(1 file)

In bug 437488 comment 4, we decided not to link to the Google Safe Browsing Advisory page for a malware site in the Camino UI (so that we could have consistent UI/button actions for malware and phishing; the more info URL would go to cbo in both cases, and the blocker bar's "report an error" button would go to Google's page for getting off the lists: a form for phishing, and the advisory for malware).

To get access to the advisory, you'd have to click through the overlay, which we didn't want to encourage, so in bug 451092, we were going to remedy that by providing access to the advisory via a web form on cbo (eventually bug 532790):

(In reply to bug 451092 comment 9)
> > info about the reporting UI
> 
> In the latter case, I decided against having people visit the site and invoke
> the blocker bar in order to report the false positive (don't encourage
> dangerous behavior and all that).  This means that we don't ever really link
> users to to the Google advisory for blocked malware sites.  What I'd like to do
> is have a form on the page that takes a URL as user input and displays the
> Google advisory, so that we can send concerned people directly to the advisory
> in a safe manner.  

Unfortunately, this is not a really good solution for a number of reasons (least of all being it's still not live yet :P ):

1) The advisory only applies to malware, not to phishing, so if a user inputs (on security/#safebrowsing, where both MoreInfo links point) the URL of a site blocked by the Phishing Blocker, the advisory tells them the site is fine.

2) We don't get a referrer from a link-click off out of the blocked site overlay, so our web form can't pre-fill the form with the value of the site that was blocked by looking at the referrer.

So I think (and it sounds like philippe agrees) we need to bite the bullet and work a link to the advisory for the site in question back into the overlay for malware.

This is going to be kind-of messy, both l10n-wise (we're going to have to duplicate the string, or break it up into additional parts and rework the formatString, or something) and because we want whatever text/link to only appear when we've got a blocked malware site, and we'll also need to grovel for the URL that's blocked, to be able to insert that into our link.

(It's also worth noting that Firefox now has a "new" destination for the "not a malware site" button on the blocker bar (bug 441624), http://en-US.malware-error.mozilla.com/?hl=en-US&url=http%3A%2F%2Fwww.mozilla.com%2Ffirefox%2Fits-an-attack.html that ultimately redirects to a useful, but private, info page at StopBadware: http://www.stopbadware.org/firefox?hl=en-US&url=http%3A%2F%2Fwww.mozilla.com%2Ffirefox%2Fits-an-attack.html.  It apparently used to go to http://www.stopbadware.org/home/reviewinfo?hl=en-US&url=http%3A%2F%2Fwww.mozilla.com%2Ffirefox%2Fits-an-attack.html)

(Moreover, there's also bug 388446, still not fixed in Firefox, but Google has a form up.  We should probably do that at some point, too.)
Flags: camino2.1?
Severity: enhancement → normal
(In reply to comment #0)
> formatString, or something) and because we want whatever text/link to only
> appear when we've got a blocked malware site, and we'll also need to grovel for
> the URL that's blocked, to be able to insert that into our link.

Which I think means we need the equivalent of BrowserWrapper's onXULCommand's siteURI, BW's performCommandForXULElementWithID's pageURI and (pageURI's) blockedReason.
Actually, what I really want is the URL that's constructed in BWC's reportIncorrectlyBlockedSite: (via showMalwareDiagnosticInformation, which is dead code currently; see bug 591720).

Sean or Stuart, any suggestions as to the best way to get that URL into SafeBrowsingAboutModule for part of a format string?  SBAM doesn't look like it knows about any of our window/view/tab objects at all, and probably doesn't want to :P
I also thought, "hey, maybe we could do this like Firefox did their 'getMeOutButton', like a fake link, and not need any groveling for that other info"…and, we could, except once I coded it up, it looks absolutely awful :(

Because it's a button, the whole thing is underlined to look like a fake link (if we force underlining on, but then we might be out-of-sync with user prefs), and the whole thing is treated as an un-breakable unit (so it falls down to the next line), and so forth.

I tried some other variations, and either they didn't work or they looked worse (and were even grosser hacks).  I don't think faking it is a viable option.
Gah, this needed strings :-(

I'd still really like to do this--because our current UE around this sucks--if someone could answer comment 2 and the answer is there's a sane way of doing it (we could probably get a late-l10n string in for a point release like we did for 2.0.something when we got Breakpad email strings).
Flags: camino2.1?
Flags: camino2.1.1?
Flags: camino2.1-
We could make comment 3 look decent by displaying that button as separate paragraph. Something like the below:

#view-the-report {
-moz-appearance: none;
display: block;
margin: 1em 0;
padding: 0;
border: none;
background: transparent;
color: -moz-hyperlinktext;
text-decoration: underline;
white-space: normal;
}

/* there is also -moz-visitedhyperlinktext for visited link colour - don't think we nee to worry */

Doesn't fix the 'respect the user pref' for the text-decoration, though. The link colour will be respected.
(Hmm removing the brackets out of that screenshot as well…)
(In reply to philippe from comment #5)
> We could make comment 3 look decent by displaying that button as separate
> paragraph.

In English, sure; I'm not sure what it will do for more verbose languages like German.  Also it logically belongs as part of the other paragraph, and the entire text probably shouldn't all be a link.

That said, maybe it's still better than nothing…
Flags: camino2.1.2?
Flags: camino2.1.1?
Flags: camino2.1.1-
Status: NEW → RESOLVED
Closed: 10 days ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: