add a pref to control whether or not "Permanently store this exception" is checked by default

RESOLVED WONTFIX

Status

defect
RESOLVED WONTFIX
7 years ago
5 months ago

People

(Reporter: jwilk, Unassigned)

Tracking

({polish})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [good first bug])

Reporter

Description

7 years ago
I never want to add permanent security exceptions. Unfortunately, in the "Add Security Exception" dialog, the "Permanently store this exception" checkbox is selected by default. Could you make this default configurable? I'm currently using an addon[0] to achieve the same thing, but I feel it's overkill and it should be implemented in Firefox proper. Thanks for considering.

[0] https://addons.mozilla.org/en-US/firefox/addon/y-u-no-validate/
I always manually disable the "permanent" checkbox but I understand the usability behind the decision to enable it by default. Adding yet another peference option for this would be also overkill IMO

Comment 2

6 years ago
I agree that a configurable default would be useful.

Though I think the real solution is to change the default to disable the "permanent" checkbox. Usability should not be regarded as more important than security in this case.

Comment 3

6 years ago
Note: a work-round is to use Private browsing mode.
This disables the setting and clears the checkbox.

Comment 4

4 years ago
Why is this enabled by default anyway? That seems rather unsafe.

Updated

4 years ago
Duplicate of this bug: 841700
Anne, dveditz can explain the rationale (as I have seen him do before), but I think that the main point is to remove the potential for training users to click through this sequence.  The exception process demands actual thought.  The addon is a fine solution for folks who know enough to care about this.

Permanent by default is actually OK for corporate services or your home router.

BTW, I think that I might have opened a duplicate of this bug a long time ago, I'll see if I can find it.

Comment 7

4 years ago
But if you click through you actually *do* permanently install an exception without it being clear how to undo it. At least if the checkbox was not checked by default it would be gone at the end of a session (presumably).
Agree with Anne, and I cannot understand Martin's thought process. If one is worrying about inexperienced users, as Martin seems to be, and along similar lines as other decisions in the Mozilla world, it would be logical to NOT permanently store the exception. Further, as I (at least) store exceptions for internet sites more frequently than intranet sites, the safe decision is to NOT permanently store the exceptions.

While an addon fixed this "for people who care", I am sure it is 100x more lines of code to achieve than a simple boolean check before that dialog is being displayed, if native. Given this, I am not sure in what sense "overkill" is being thought of, but it certainly isn't in the sense of code efficiency.

Updated

3 years ago
Severity: enhancement → normal
Component: Preferences → Security: UI
Keywords: polish
Product: Firefox → Core
Summary: Please make "Permanently store this exception" default configurable → "Permanently store this exception" should be unchecked by default and have a pref
Whiteboard: [good first bug]

Updated

3 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
The reason to permanently store the exception is that when this happens, the certificate is essentially pinned for that site. If the user re-visits a site with an exception, they have reasonable confidence that the certificate hasn't changed (i.e. if they trusted it once, they can continue to trust it).
Summary: "Permanently store this exception" should be unchecked by default and have a pref → add a pref to control whether or not "Permanently store this exception" is checked by default
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard

Comment 10

2 years ago
Is there a chance that the resolution will be revised? Since Firefox 57 will drop XUL, the mentioned add-on that implements this will just stop working. A hidden preference in about:config would be enough, this setting is intended only for advanced users anyway.

Updated

2 years ago
Flags: needinfo?(dkeeler)
It's unlikely. We feel the current behavior best protects users (note that when you permanently store an exception, that site is essentially pinned to that certificate, so if it changes, you'll (hopefully - see bug 399910) notice). Putting engineering effort into supporting this rare configuration is not the best use of our time.
Flags: needinfo?(dkeeler)

Comment 12

2 years ago
I would like to request an advanced (about:config) option to change the default behavior for this.  We do network device configuration by the hundreds and would like to have the option to not save.

thank you~

Comment 13

a year ago
With Firefox 57 (Quantum) the Add on https://addons.mozilla.org/en-US/firefox/addon/y-u-no-validate/versions/ no longer works. Either a replacement or a config: entry or a bug fix is needed.

Updated

a year ago
See Also: → 1414753
You need to log in before you can comment on or make changes to this bug.