Add warning to Filelink about URL guessing

RESOLVED FIXED in Thunderbird 16.0

Status

Thunderbird
FileLink
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: mconley, Assigned: mconley)

Tracking

Trunk
Thunderbird 16.0
x86
All

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 4 obsolete attachments)

From the Filelink privacy review:

"We point the user at the privacy and terms of service of the providers. We also are requiring the providers not to expire files, so that the e-mail recipients don't end up with stale links.

Risk: A "surprise" may manifest itself is when a user mis-forwards the message to the wrong party and the file can be downloaded by an unintended recipient. This can happen with the current set-up if a user forwards an attachment to the wrong party, and is a risk inherent in email.

An added risk of this system is that the file is publicly available and not limited in accessibility to those who can access the message itself. This is like 'security by obscurity', which is not ideal, but acceptable in this case since users know the file will be uploaded to a sharing service.

Recommendation: Make it clear to users that uploaded files will be world-readable (to members of the world who know where to find it). "
Created attachment 640226 [details]
Proposed warnings in HTML and plaintext mail

Blake:

What do you think about removing the little ad at the bottom of the set of Filelinks, and including something like this warning instead?

-Mike
Assignee: nobody → mconley
Status: NEW → ASSIGNED
Attachment #640226 - Flags: ui-review?(bwinton)
Comment on attachment 640226 [details]
Proposed warnings in HTML and plaintext mail

I kind of like the ad, and I think that this warning is being displayed to the wrong people.  My understanding is that we're trying to warn the authors of the email, not the recipients…  So, I'm going to say ui-r-.

Thanks,
Blake.
Attachment #640226 - Flags: ui-review?(bwinton) → ui-review-
Created attachment 640247 [details] [diff] [review]
Patch v1

Adds a one-time-per-composer notification one the first batch of uploads are finished, warning the user about the visibility of their files.
Attachment #640226 - Attachment is obsolete: true
Created attachment 640249 [details]
Screenshot of applied patch

Closer? How's the language?
Attachment #640249 - Flags: ui-review?(bwinton)
Comment on attachment 640249 [details]
Screenshot of applied patch

Seems good.  I would say "may be accessible _to_ people"…  Or maybe "will be accessible to people"…

But other than that, ui-r-me.
Attachment #640249 - Flags: ui-review?(bwinton) → ui-review+
Created attachment 640256 [details] [diff] [review]
Patch that gives off warning notification - includes test

Tada!
Attachment #640247 - Attachment is obsolete: true
Attachment #640256 - Flags: review?(bwinton)
Comment on attachment 640256 [details] [diff] [review]
Patch that gives off warning notification - includes test

r- due to the following:

Open a compose window.
Attach a file.
Link it.
Wait for the new notification to show up.
Close the compose window.
Open a new compose window.
Marvel at the notification that appears when there are no attachments!  ;)

(In a similar vein, I don't get notified for the second compose window if I collapse the notification on the first one.)

Tests for those would also be nice…

Thanks,
Blake.
Attachment #640256 - Flags: review?(bwinton) → review-
Created attachment 640587 [details] [diff] [review]
Patch v3

Great catches! Fixed, and added tests for those cases.
Attachment #640256 - Attachment is obsolete: true
Attachment #640587 - Flags: review?(bwinton)
Comment on attachment 640587 [details] [diff] [review]
Patch v3

Open a compose window.
Attach a file.
Convert it to an UbuntuOne link.
Look at the pretty error message.
Close the window, without saving the draft.
Open a compose window.
Attach a file.
Convert it to an UbuntuOne link.
Wonder where the pretty error message is this time…  :(
Open a compose window.
Attach a file.
Convert it to an UbuntuOne link.
Hey, there it is!  :(

Apparently I missed my calling as a tester…  ;)

Later,
Blake.
Attachment #640587 - Flags: review?(bwinton) → review-
(In reply to Blake Winton (:bwinton - Thunderbird UX) [On vacation until July 6th!] from comment #9)
> Comment on attachment 640587 [details] [diff] [review]
> Patch v3
> 
> Open a compose window.
> Attach a file.
> Convert it to an UbuntuOne link.
> Look at the pretty error message.
> Close the window, without saving the draft.
> Open a compose window.
> Attach a file.
> Convert it to an UbuntuOne link.
> Wonder where the pretty error message is this time…  :(
> Open a compose window.
> Attach a file.
> Convert it to an UbuntuOne link.
> Hey, there it is!  :(
> 
> Apparently I missed my calling as a tester…  ;)
> 
> Later,
> Blake.

Ah, figured it out. Dumb error. I'll have the fix and more test cases up soon.
Created attachment 641467 [details] [diff] [review]
Patch v4

Hey Blake - mind taking this one for a spin and seeing if you can shake anything else loose?

-Mike
Attachment #640587 - Attachment is obsolete: true
Attachment #641467 - Flags: review?(bwinton)
Comment on attachment 641467 [details] [diff] [review]
Patch v4

>+++ b/mail/locales/en-US/chrome/messenger/messengercompose/composeMsgs.properties
>@@ -361,16 +361,17 @@ bigFileHideNotification.check=Never noti
>+cloudFilePrivacyNotification=Linking is complete. Please note that linked attachments may be accessible to people who can see or guess the links.

"may be" or "will be"?

Aside from that, I like it.  r=me!  (And ui-r=me, for completeness. ;)

Thanks,
Blake.
Attachment #641467 - Flags: ui-review+
Attachment #641467 - Flags: review?(bwinton)
Attachment #641467 - Flags: review+
comm-central: https://hg.mozilla.org/comm-central/rev/736f08622ee9
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 16.0
You need to log in before you can comment on or make changes to this bug.