Closed
Bug 762985
Opened 12 years ago
Closed 8 years ago
add a pref to control whether or not "Permanently store this exception" is checked by default
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jwilk, Unassigned)
References
Details
(Keywords: polish, Whiteboard: [good first bug])
I never want to add permanent security exceptions. Unfortunately, in the "Add Security Exception" dialog, the "Permanently store this exception" checkbox is selected by default. Could you make this default configurable? I'm currently using an addon[0] to achieve the same thing, but I feel it's overkill and it should be implemented in Firefox proper. Thanks for considering.
[0] https://addons.mozilla.org/en-US/firefox/addon/y-u-no-validate/
Comment 1•12 years ago
|
||
I always manually disable the "permanent" checkbox but I understand the usability behind the decision to enable it by default. Adding yet another peference option for this would be also overkill IMO
I agree that a configurable default would be useful.
Though I think the real solution is to change the default to disable the "permanent" checkbox. Usability should not be regarded as more important than security in this case.
Note: a work-round is to use Private browsing mode.
This disables the setting and clears the checkbox.
Comment 4•10 years ago
|
||
Why is this enabled by default anyway? That seems rather unsafe.
Comment 6•10 years ago
|
||
Anne, dveditz can explain the rationale (as I have seen him do before), but I think that the main point is to remove the potential for training users to click through this sequence. The exception process demands actual thought. The addon is a fine solution for folks who know enough to care about this.
Permanent by default is actually OK for corporate services or your home router.
BTW, I think that I might have opened a duplicate of this bug a long time ago, I'll see if I can find it.
Comment 7•10 years ago
|
||
But if you click through you actually *do* permanently install an exception without it being clear how to undo it. At least if the checkbox was not checked by default it would be gone at the end of a session (presumably).
Comment 8•9 years ago
|
||
Agree with Anne, and I cannot understand Martin's thought process. If one is worrying about inexperienced users, as Martin seems to be, and along similar lines as other decisions in the Mozilla world, it would be logical to NOT permanently store the exception. Further, as I (at least) store exceptions for internet sites more frequently than intranet sites, the safe decision is to NOT permanently store the exceptions.
While an addon fixed this "for people who care", I am sure it is 100x more lines of code to achieve than a simple boolean check before that dialog is being displayed, if native. Given this, I am not sure in what sense "overkill" is being thought of, but it certainly isn't in the sense of code efficiency.
Severity: enhancement → normal
Component: Preferences → Security: UI
Keywords: polish
Product: Firefox → Core
Summary: Please make "Permanently store this exception" default configurable → "Permanently store this exception" should be unchecked by default and have a pref
Whiteboard: [good first bug]
Comment 9•9 years ago
|
||
The reason to permanently store the exception is that when this happens, the certificate is essentially pinned for that site. If the user re-visits a site with an exception, they have reasonable confidence that the certificate hasn't changed (i.e. if they trusted it once, they can continue to trust it).
Summary: "Permanently store this exception" should be unchecked by default and have a pref → add a pref to control whether or not "Permanently store this exception" is checked by default
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
Comment 10•8 years ago
|
||
Is there a chance that the resolution will be revised? Since Firefox 57 will drop XUL, the mentioned add-on that implements this will just stop working. A hidden preference in about:config would be enough, this setting is intended only for advanced users anyway.
Comment 11•8 years ago
|
||
It's unlikely. We feel the current behavior best protects users (note that when you permanently store an exception, that site is essentially pinned to that certificate, so if it changes, you'll (hopefully - see bug 399910) notice). Putting engineering effort into supporting this rare configuration is not the best use of our time.
Flags: needinfo?(dkeeler)
Comment 12•7 years ago
|
||
I would like to request an advanced (about:config) option to change the default behavior for this. We do network device configuration by the hundreds and would like to have the option to not save.
thank you~
Comment 13•7 years ago
|
||
With Firefox 57 (Quantum) the Add on https://addons.mozilla.org/en-US/firefox/addon/y-u-no-validate/versions/ no longer works. Either a replacement or a config: entry or a bug fix is needed.
Comment 14•5 years ago
|
||
"Status: RESOLVED WONTFIX" - "won't fix" is maybe "resolved", but not "solved". Wilfully ignoring a problem does not solve it. (This holds also for the other bugs with "Status: RESOLVED WONTFIX".)
You need to log in
before you can comment on or make changes to this bug.
Description
•