Last Comment Bug 817441 - Turn SSL-related warning prompts into notifications
: Turn SSL-related warning prompts into notifications
Status: RESOLVED FIXED
:
Product: SeaMonkey
Classification: Client Software
Component: Security (show other bugs)
: Trunk
: All All
: -- normal (vote)
: seamonkey2.17
Assigned To: neil@parkwaycc.co.uk
:
Mentors:
Depends on: 810673 919347
Blocks: 300086 853268
  Show dependency treegraph
 
Reported: 2012-12-02 14:39 PST by neil@parkwaycc.co.uk
Modified: 2013-09-22 16:38 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Draft patch (1.66 KB, patch)
2012-12-02 14:42 PST, neil@parkwaycc.co.uk
jh: feedback+
bugzilla: feedback-
philip.chee: feedback+
iann_bugzilla: feedback+
Details | Diff | Review
Possible patch (5.45 KB, patch)
2012-12-25 14:11 PST, neil@parkwaycc.co.uk
iann_bugzilla: review+
Details | Diff | Review

Description neil@parkwaycc.co.uk 2012-12-02 14:39:08 PST
The following warning prompts were moved from the back end to the front end via bug 799009 and bug 810673. We should turn some of them into notifications:

1. You have entered a secure site
2. You have left a secure site
3. You are viewing a site with mixed content.
Comment 1 neil@parkwaycc.co.uk 2012-12-02 14:42:15 PST
Created attachment 687570 [details] [diff] [review]
Draft patch

Known issues:
* The enter insecure message is wrong
* There is no checkbox since the notifications are disabled by default
* There are no doorhangers yet
Comment 2 neil@parkwaycc.co.uk 2012-12-09 16:59:40 PST
Actually doorhangers might not make sense here anyway.
Comment 3 Frank Wein [:mcsmurf] 2012-12-11 12:01:21 PST
Comment on attachment 687570 [details] [diff] [review]
Draft patch

Should the notification bar actually disappear again automatically? Here the notification bar seems to stick around forever (except when I close it :).
Also I think the wording of the leaving secure page notification should be changed as it says: "You are about to leave an encrypted page". When the user sees that message, he/she has already left the page.
Comment 4 Frank Wein [:mcsmurf] 2012-12-11 12:03:51 PST
Oh, I see you already mentioned the leaving secure page thing in Comment 1..
Comment 5 neil@parkwaycc.co.uk 2012-12-11 16:08:44 PST
(In reply to Frank Wein from comment #3)
> Should the notification bar actually disappear again automatically? Here the
> notification bar seems to stick around forever (except when I close it :).
In case of redirects, I made it disappear after three page loads (assuming the security status doesn't change in the mean time).
Comment 6 Philip Chee 2012-12-13 05:27:28 PST
Comment on attachment 687570 [details] [diff] [review]
Draft patch

OK aside for known issues, this works as intended. f+=me
Comment 7 Jens Hatlak (:InvisibleSmiley) 2012-12-23 11:43:12 PST
Comment on attachment 687570 [details] [diff] [review]
Draft patch

Unobtrusive alerts are certainly better than modal ones (esp. since unlike FF we don't have per-tab modal ones), so f=me with the known issues and below addressed.

1. I feel that three redirects is too much. One ideally, but if you can explain to me why you want to have more, maybe two. Three definitely felt like "this is not going to go away automatically" to me when I tried it myself.

2. I wonder whether we should put an exclamation mark at the end of the mixed content warning. Otherwise it looks too much like "bla bla bla this is just FYI, feel free to ignore it." to me.
Comment 8 Ian Neal 2012-12-23 12:04:46 PST
Comment on attachment 687570 [details] [diff] [review]
Draft patch

f=me
The only issue that I had was the notification does not disappear when you click back on the browser history.
Comment 9 neil@parkwaycc.co.uk 2012-12-24 17:10:48 PST
(In reply to comment #1)
> Known issues:
> * The enter insecure message is wrong
Suggested replacement text:
You have left an encrypted page. Information you send or receive from now on could easily be read by a third party.

> * There is no checkbox since the notifications are disabled by default
> * There are no doorhangers yet
Actually I'm not sure we need either of these.

(In reply to Jens Hatlak from comment #7)
> 1. I feel that three redirects is too much. One ideally, but if you can
> explain to me why you want to have more, maybe two. Three definitely felt
> like "this is not going to go away automatically" to me when I tried it
> myself.
Latest idea is first page change at least 20 seconds after the security change. This is the same as the lightweight theme notifications. Does that sound OK to you?

> 2. I wonder whether we should put an exclamation mark at the end of the
> mixed content warning. Otherwise it looks too much like "bla bla bla this is
> just FYI, feel free to ignore it." to me.
Perhaps giving the different notifications different importance levels would help (secure - info; insecure - warn; mixed - critical? see toolkit's notification.xml for a full list). It would make switching notifications more intrusive, which might be a good thing.

(In reply to Ian Neal from comment #8)
> The only issue that I had was the notification does not disappear when you
> click back on the browser history.
Ah yes, I don't remove the old notification correctly if the new one has been disabled. Good catch. In fact, this would make it easier to provide separate importance for different notifications.
Comment 10 Jens Hatlak (:InvisibleSmiley) 2012-12-25 07:23:17 PST
(In reply to neil@parkwaycc.co.uk from comment #9)
> (In reply to Jens Hatlak from comment #7)
> > 1. I feel that three redirects is too much. One ideally, but if you can
> > explain to me why you want to have more, maybe two. Three definitely felt
> > like "this is not going to go away automatically" to me when I tried it
> > myself.
> Latest idea is first page change at least 20 seconds after the security
> change. This is the same as the lightweight theme notifications. Does that
> sound OK to you?

Hmm, not if this would be the only condition.

My use case is this:
1. User was browsing insecure sites.
2. User enters secure site (e.g. using the location bar) containing a login form.
3. User submits form to enter secure site.

By this time I expect the "entering secure site" warning to go away automatically; at most one click later. Not 20 seconds later, which feels more like "incidentally" in this context.

> > 2. I wonder whether we should put an exclamation mark at the end of the
> > mixed content warning. Otherwise it looks too much like "bla bla bla this is
> > just FYI, feel free to ignore it." to me.
> Perhaps giving the different notifications different importance levels would
> help (secure - info; insecure - warn; mixed - critical?

Good idea, agreed.
Comment 11 neil@parkwaycc.co.uk 2012-12-25 12:46:03 PST
(In reply to Jens Hatlak from comment #10)
> My use case is this:
> 1. User was browsing insecure sites.
> 2. User enters secure site (e.g. using the location bar) containing a login
> form.
> 3. User submits form to enter secure site.
> 
> By this time I expect the "entering secure site" warning to go away
> automatically; at most one click later. Not 20 seconds later, which feels
> more like "incidentally" in this context.

Well, there are a couple of cases:

a. User enters secure site containing a login form
b. User takes 20 seconds to submit form (including waiting for server to respond)
In this case, the warning will go away at step b.

a. User enters secure site containing a login form
b. After 10 seconds user has logged in
c. After another 10 seconds user navigates to another secure page
In this case the warning goes away at step c.

Of course what I want to avoid is this:
a. User enters secure site to log in
b. Site redirects from home page to login page
c. Warning goes away by mistake.
Comment 12 neil@parkwaycc.co.uk 2012-12-25 12:48:50 PST
(In reply to Jens Hatlak from comment #10)
> (In reply to neil@parkwaycc.co.uk from comment #9)
> > Perhaps giving the different notifications different importance levels would
> > help (secure - info; insecure - warn; mixed - critical?
> 
> Good idea, agreed.

Well, unless anyone suggests a preference, I guess it's down to me to choose exactly which of the nine priority levels to assign to the three notifications...
Comment 13 neil@parkwaycc.co.uk 2012-12-25 14:11:26 PST
Created attachment 695670 [details] [diff] [review]
Possible patch
Comment 14 Jens Hatlak (:InvisibleSmiley) 2012-12-26 03:00:15 PST
(In reply to neil@parkwaycc.co.uk from comment #11)
> Of course what I want to avoid is this:
> a. User enters secure site to log in
> b. Site redirects from home page to login page
> c. Warning goes away by mistake.

Agreed. I saw this, too, so I thought we could settle on a two-click/redirect limit (in addition to the 20sec limit you suggested).
Comment 15 neil@parkwaycc.co.uk 2012-12-26 03:36:46 PST
(In reply to Jens Hatlak from comment #14)
> I thought we could settle on a two-click/redirect limit
> (in addition to the 20sec limit you suggested).

Here's what the latest patch actually does:
1. The security state changes
2. The next click or redirect is ignored, whether it happens before or after 20sec
3. Any further clicks or redirects before 20sec are ignored
4. Any further click or redirect closes the notification

I could easily be persuaded to remove step 2 before checkin.
Comment 16 Ian Neal 2013-01-07 08:13:55 PST
Comment on attachment 695670 [details] [diff] [review]
Possible patch

r=me though I cannot get redirect/next click ignore to work before or after 20 seconds.
Comment 17 neil@parkwaycc.co.uk 2013-01-07 09:26:45 PST
Pushed comm-central changeset 76552c3680b5.
Comment 18 Stefan [:stefanh] (away until May 28) 2013-01-08 08:33:02 PST
Looks like this one made it before the merge.

Note You need to log in before you can comment on or make changes to this bug.