Closed Bug 817441 Opened 13 years ago Closed 13 years ago

Turn SSL-related warning prompts into notifications

Categories

(SeaMonkey :: Security, defect)

Product:
SeaMonkey
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
seamonkey2.17

People

(Reporter: neil, Assigned: neil)

References

Details

Attachments

(1 file, 1 obsolete file)

Possible patch
5.45 KB, patch
iannbugzilla
: review+
Details | Diff | Splinter Review
The following warning prompts were moved from the back end to the front end via bug 799009 and bug 810673. We should turn some of them into notifications: 1. You have entered a secure site 2. You have left a secure site 3. You are viewing a site with mixed content.
Attached patch Draft patch (obsolete) — Splinter Review
Known issues: * The enter insecure message is wrong * There is no checkbox since the notifications are disabled by default * There are no doorhangers yet
Assignee: nobody → neil
Status: NEW → ASSIGNED
Attachment #687570 - Flags: feedback?
Attachment #687570 - Flags: feedback?(philip.chee)
Attachment #687570 - Flags: feedback?(jh)
Attachment #687570 - Flags: feedback?(iann_bugzilla)
Attachment #687570 - Flags: feedback?(bugzilla)
Attachment #687570 - Flags: feedback?
Actually doorhangers might not make sense here anyway.
Comment on attachment 687570 [details] [diff] [review] Draft patch Should the notification bar actually disappear again automatically? Here the notification bar seems to stick around forever (except when I close it :). Also I think the wording of the leaving secure page notification should be changed as it says: "You are about to leave an encrypted page". When the user sees that message, he/she has already left the page.
Attachment #687570 - Flags: feedback?(bugzilla) → feedback-
Oh, I see you already mentioned the leaving secure page thing in Comment 1..
(In reply to Frank Wein from comment #3) > Should the notification bar actually disappear again automatically? Here the > notification bar seems to stick around forever (except when I close it :). In case of redirects, I made it disappear after three page loads (assuming the security status doesn't change in the mean time).
Comment on attachment 687570 [details] [diff] [review] Draft patch OK aside for known issues, this works as intended. f+=me
Attachment #687570 - Flags: feedback?(philip.chee) → feedback+
Blocks: 300086
Comment on attachment 687570 [details] [diff] [review] Draft patch Unobtrusive alerts are certainly better than modal ones (esp. since unlike FF we don't have per-tab modal ones), so f=me with the known issues and below addressed. 1. I feel that three redirects is too much. One ideally, but if you can explain to me why you want to have more, maybe two. Three definitely felt like "this is not going to go away automatically" to me when I tried it myself. 2. I wonder whether we should put an exclamation mark at the end of the mixed content warning. Otherwise it looks too much like "bla bla bla this is just FYI, feel free to ignore it." to me.
Attachment #687570 - Flags: feedback?(jh) → feedback+
Comment on attachment 687570 [details] [diff] [review] Draft patch f=me The only issue that I had was the notification does not disappear when you click back on the browser history.
Attachment #687570 - Flags: feedback?(iann_bugzilla) → feedback+
(In reply to comment #1) > Known issues: > * The enter insecure message is wrong Suggested replacement text: You have left an encrypted page. Information you send or receive from now on could easily be read by a third party. > * There is no checkbox since the notifications are disabled by default > * There are no doorhangers yet Actually I'm not sure we need either of these. (In reply to Jens Hatlak from comment #7) > 1. I feel that three redirects is too much. One ideally, but if you can > explain to me why you want to have more, maybe two. Three definitely felt > like "this is not going to go away automatically" to me when I tried it > myself. Latest idea is first page change at least 20 seconds after the security change. This is the same as the lightweight theme notifications. Does that sound OK to you? > 2. I wonder whether we should put an exclamation mark at the end of the > mixed content warning. Otherwise it looks too much like "bla bla bla this is > just FYI, feel free to ignore it." to me. Perhaps giving the different notifications different importance levels would help (secure - info; insecure - warn; mixed - critical? see toolkit's notification.xml for a full list). It would make switching notifications more intrusive, which might be a good thing. (In reply to Ian Neal from comment #8) > The only issue that I had was the notification does not disappear when you > click back on the browser history. Ah yes, I don't remove the old notification correctly if the new one has been disabled. Good catch. In fact, this would make it easier to provide separate importance for different notifications.
Flags: needinfo?(jh)
(In reply to neil@parkwaycc.co.uk from comment #9) > (In reply to Jens Hatlak from comment #7) > > 1. I feel that three redirects is too much. One ideally, but if you can > > explain to me why you want to have more, maybe two. Three definitely felt > > like "this is not going to go away automatically" to me when I tried it > > myself. > Latest idea is first page change at least 20 seconds after the security > change. This is the same as the lightweight theme notifications. Does that > sound OK to you? Hmm, not if this would be the only condition. My use case is this: 1. User was browsing insecure sites. 2. User enters secure site (e.g. using the location bar) containing a login form. 3. User submits form to enter secure site. By this time I expect the "entering secure site" warning to go away automatically; at most one click later. Not 20 seconds later, which feels more like "incidentally" in this context. > > 2. I wonder whether we should put an exclamation mark at the end of the > > mixed content warning. Otherwise it looks too much like "bla bla bla this is > > just FYI, feel free to ignore it." to me. > Perhaps giving the different notifications different importance levels would > help (secure - info; insecure - warn; mixed - critical? Good idea, agreed.
Flags: needinfo?(jh)
(In reply to Jens Hatlak from comment #10) > My use case is this: > 1. User was browsing insecure sites. > 2. User enters secure site (e.g. using the location bar) containing a login > form. > 3. User submits form to enter secure site. > > By this time I expect the "entering secure site" warning to go away > automatically; at most one click later. Not 20 seconds later, which feels > more like "incidentally" in this context. Well, there are a couple of cases: a. User enters secure site containing a login form b. User takes 20 seconds to submit form (including waiting for server to respond) In this case, the warning will go away at step b. a. User enters secure site containing a login form b. After 10 seconds user has logged in c. After another 10 seconds user navigates to another secure page In this case the warning goes away at step c. Of course what I want to avoid is this: a. User enters secure site to log in b. Site redirects from home page to login page c. Warning goes away by mistake.
(In reply to Jens Hatlak from comment #10) > (In reply to neil@parkwaycc.co.uk from comment #9) > > Perhaps giving the different notifications different importance levels would > > help (secure - info; insecure - warn; mixed - critical? > > Good idea, agreed. Well, unless anyone suggests a preference, I guess it's down to me to choose exactly which of the nine priority levels to assign to the three notifications...
Attached patch Possible patchSplinter Review
Attachment #687570 - Attachment is obsolete: true
Attachment #695670 - Flags: review?(iann_bugzilla)
(In reply to neil@parkwaycc.co.uk from comment #11) > Of course what I want to avoid is this: > a. User enters secure site to log in > b. Site redirects from home page to login page > c. Warning goes away by mistake. Agreed. I saw this, too, so I thought we could settle on a two-click/redirect limit (in addition to the 20sec limit you suggested).
Version: unspecified → Trunk
(In reply to Jens Hatlak from comment #14) > I thought we could settle on a two-click/redirect limit > (in addition to the 20sec limit you suggested). Here's what the latest patch actually does: 1. The security state changes 2. The next click or redirect is ignored, whether it happens before or after 20sec 3. Any further clicks or redirects before 20sec are ignored 4. Any further click or redirect closes the notification I could easily be persuaded to remove step 2 before checkin.
Comment on attachment 695670 [details] [diff] [review] Possible patch r=me though I cannot get redirect/next click ignore to work before or after 20 seconds.
Attachment #695670 - Flags: review?(iann_bugzilla) → review+
Pushed comm-central changeset 76552c3680b5.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.18
Looks like this one made it before the merge.
Target Milestone: seamonkey2.18 → seamonkey2.17
Blocks: 853268
Depends on: 919347
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: