Turn SSL-related warning prompts into notifications

RESOLVED FIXED in seamonkey2.17

Status

SeaMonkey
Security
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: neil@parkwaycc.co.uk, Assigned: neil@parkwaycc.co.uk)

Tracking

Trunk
seamonkey2.17
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

5.45 KB, patch
Ian Neal
: review+
Details | Diff | Splinter Review
(Assignee)

Description

5 years ago
The following warning prompts were moved from the back end to the front end via bug 799009 and bug 810673. We should turn some of them into notifications:

1. You have entered a secure site
2. You have left a secure site
3. You are viewing a site with mixed content.
(Assignee)

Comment 1

5 years ago
Created attachment 687570 [details] [diff] [review]
Draft patch

Known issues:
* The enter insecure message is wrong
* There is no checkbox since the notifications are disabled by default
* There are no doorhangers yet
Assignee: nobody → neil
Status: NEW → ASSIGNED
Attachment #687570 - Flags: feedback?
(Assignee)

Updated

5 years ago
Attachment #687570 - Flags: feedback?(philip.chee)
Attachment #687570 - Flags: feedback?(jh)
Attachment #687570 - Flags: feedback?(iann_bugzilla)
Attachment #687570 - Flags: feedback?(bugzilla)
Attachment #687570 - Flags: feedback?
(Assignee)

Comment 2

5 years ago
Actually doorhangers might not make sense here anyway.
Comment on attachment 687570 [details] [diff] [review]
Draft patch

Should the notification bar actually disappear again automatically? Here the notification bar seems to stick around forever (except when I close it :).
Also I think the wording of the leaving secure page notification should be changed as it says: "You are about to leave an encrypted page". When the user sees that message, he/she has already left the page.
Attachment #687570 - Flags: feedback?(bugzilla) → feedback-
Oh, I see you already mentioned the leaving secure page thing in Comment 1..
(Assignee)

Comment 5

5 years ago
(In reply to Frank Wein from comment #3)
> Should the notification bar actually disappear again automatically? Here the
> notification bar seems to stick around forever (except when I close it :).
In case of redirects, I made it disappear after three page loads (assuming the security status doesn't change in the mean time).

Comment 6

5 years ago
Comment on attachment 687570 [details] [diff] [review]
Draft patch

OK aside for known issues, this works as intended. f+=me
Attachment #687570 - Flags: feedback?(philip.chee) → feedback+

Updated

5 years ago
Blocks: 300086
Comment on attachment 687570 [details] [diff] [review]
Draft patch

Unobtrusive alerts are certainly better than modal ones (esp. since unlike FF we don't have per-tab modal ones), so f=me with the known issues and below addressed.

1. I feel that three redirects is too much. One ideally, but if you can explain to me why you want to have more, maybe two. Three definitely felt like "this is not going to go away automatically" to me when I tried it myself.

2. I wonder whether we should put an exclamation mark at the end of the mixed content warning. Otherwise it looks too much like "bla bla bla this is just FYI, feel free to ignore it." to me.
Attachment #687570 - Flags: feedback?(jh) → feedback+

Comment 8

5 years ago
Comment on attachment 687570 [details] [diff] [review]
Draft patch

f=me
The only issue that I had was the notification does not disappear when you click back on the browser history.
Attachment #687570 - Flags: feedback?(iann_bugzilla) → feedback+
(Assignee)

Comment 9

5 years ago
(In reply to comment #1)
> Known issues:
> * The enter insecure message is wrong
Suggested replacement text:
You have left an encrypted page. Information you send or receive from now on could easily be read by a third party.

> * There is no checkbox since the notifications are disabled by default
> * There are no doorhangers yet
Actually I'm not sure we need either of these.

(In reply to Jens Hatlak from comment #7)
> 1. I feel that three redirects is too much. One ideally, but if you can
> explain to me why you want to have more, maybe two. Three definitely felt
> like "this is not going to go away automatically" to me when I tried it
> myself.
Latest idea is first page change at least 20 seconds after the security change. This is the same as the lightweight theme notifications. Does that sound OK to you?

> 2. I wonder whether we should put an exclamation mark at the end of the
> mixed content warning. Otherwise it looks too much like "bla bla bla this is
> just FYI, feel free to ignore it." to me.
Perhaps giving the different notifications different importance levels would help (secure - info; insecure - warn; mixed - critical? see toolkit's notification.xml for a full list). It would make switching notifications more intrusive, which might be a good thing.

(In reply to Ian Neal from comment #8)
> The only issue that I had was the notification does not disappear when you
> click back on the browser history.
Ah yes, I don't remove the old notification correctly if the new one has been disabled. Good catch. In fact, this would make it easier to provide separate importance for different notifications.
Flags: needinfo?(jh)
(In reply to neil@parkwaycc.co.uk from comment #9)
> (In reply to Jens Hatlak from comment #7)
> > 1. I feel that three redirects is too much. One ideally, but if you can
> > explain to me why you want to have more, maybe two. Three definitely felt
> > like "this is not going to go away automatically" to me when I tried it
> > myself.
> Latest idea is first page change at least 20 seconds after the security
> change. This is the same as the lightweight theme notifications. Does that
> sound OK to you?

Hmm, not if this would be the only condition.

My use case is this:
1. User was browsing insecure sites.
2. User enters secure site (e.g. using the location bar) containing a login form.
3. User submits form to enter secure site.

By this time I expect the "entering secure site" warning to go away automatically; at most one click later. Not 20 seconds later, which feels more like "incidentally" in this context.

> > 2. I wonder whether we should put an exclamation mark at the end of the
> > mixed content warning. Otherwise it looks too much like "bla bla bla this is
> > just FYI, feel free to ignore it." to me.
> Perhaps giving the different notifications different importance levels would
> help (secure - info; insecure - warn; mixed - critical?

Good idea, agreed.
Flags: needinfo?(jh)
(Assignee)

Comment 11

5 years ago
(In reply to Jens Hatlak from comment #10)
> My use case is this:
> 1. User was browsing insecure sites.
> 2. User enters secure site (e.g. using the location bar) containing a login
> form.
> 3. User submits form to enter secure site.
> 
> By this time I expect the "entering secure site" warning to go away
> automatically; at most one click later. Not 20 seconds later, which feels
> more like "incidentally" in this context.

Well, there are a couple of cases:

a. User enters secure site containing a login form
b. User takes 20 seconds to submit form (including waiting for server to respond)
In this case, the warning will go away at step b.

a. User enters secure site containing a login form
b. After 10 seconds user has logged in
c. After another 10 seconds user navigates to another secure page
In this case the warning goes away at step c.

Of course what I want to avoid is this:
a. User enters secure site to log in
b. Site redirects from home page to login page
c. Warning goes away by mistake.
(Assignee)

Comment 12

5 years ago
(In reply to Jens Hatlak from comment #10)
> (In reply to neil@parkwaycc.co.uk from comment #9)
> > Perhaps giving the different notifications different importance levels would
> > help (secure - info; insecure - warn; mixed - critical?
> 
> Good idea, agreed.

Well, unless anyone suggests a preference, I guess it's down to me to choose exactly which of the nine priority levels to assign to the three notifications...
(Assignee)

Comment 13

5 years ago
Created attachment 695670 [details] [diff] [review]
Possible patch
Attachment #687570 - Attachment is obsolete: true
Attachment #695670 - Flags: review?(iann_bugzilla)
(In reply to neil@parkwaycc.co.uk from comment #11)
> Of course what I want to avoid is this:
> a. User enters secure site to log in
> b. Site redirects from home page to login page
> c. Warning goes away by mistake.

Agreed. I saw this, too, so I thought we could settle on a two-click/redirect limit (in addition to the 20sec limit you suggested).
Version: unspecified → Trunk
(Assignee)

Comment 15

5 years ago
(In reply to Jens Hatlak from comment #14)
> I thought we could settle on a two-click/redirect limit
> (in addition to the 20sec limit you suggested).

Here's what the latest patch actually does:
1. The security state changes
2. The next click or redirect is ignored, whether it happens before or after 20sec
3. Any further clicks or redirects before 20sec are ignored
4. Any further click or redirect closes the notification

I could easily be persuaded to remove step 2 before checkin.

Comment 16

4 years ago
Comment on attachment 695670 [details] [diff] [review]
Possible patch

r=me though I cannot get redirect/next click ignore to work before or after 20 seconds.
Attachment #695670 - Flags: review?(iann_bugzilla) → review+
(Assignee)

Comment 17

4 years ago
Pushed comm-central changeset 76552c3680b5.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED

Updated

4 years ago
Target Milestone: --- → seamonkey2.18

Comment 18

4 years ago
Looks like this one made it before the merge.
Target Milestone: seamonkey2.18 → seamonkey2.17
(Assignee)

Updated

4 years ago
Blocks: 853268

Updated

4 years ago
Depends on: 919347
You need to log in before you can comment on or make changes to this bug.