Open Bug 613296 Opened 14 years ago Updated 2 years ago

Page Component Security Indicator

Categories

(Firefox :: General, enhancement)

x86
macOS
enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: albert.freeman, Unassigned)

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
Build Identifier: 

Currently, there is no way (that I know of) to indicate to the user that various components utilizing AJAX within a page are secure/insecure.

Need a component that can indicate to the user which underlying scripts are using http/https, perhaps as a flyout from the lock icon. Scripts would need some sort of method of identifying themselves to the browser to give the user a friendlier name that callServerMethodByHTTPSFn.

On page load, if there were mixed components, the lock would flash and allow the user to investigate further, but other than that, no action to prevent action would be taken, barring serious error or information mismatch.

Reproducible: Always

Steps to Reproduce:
n/a
Actual Results:  
n/a

Expected Results:  
n/a

There needs to be a function whereby scripts can identify themselves to the browser, perhaps only the portion that uses HTTPRequest. That is, the programmer makes a call like identifySelf(name:'Grab Info',url:'https://server.blah'). Scripts that chose not to identify themselves would show up as the filename loaded (either the web page or the filename from the js source tag.

The https:// portion would be parsed out and if that function is used, then verified by the browser that it is actually using https. The lock icon would trigger again and show notification (perhaps a timed flyout) if there was some sort of programmatic change to the comms method of that function that caused a mismatch between the registered url and the actual url called.

As it stands now, it is entirely possible to load a page thru http, but javascript components of the page may load and/or utilize https to communicate securely, hidden from the user's knowledge. They don't trigger the mixed-mode warning because that is mostly limited to visible elements.
This shows an example of the Registered Component Flyout as described in #613296.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: