Closed
Bug 838359
Opened 12 years ago
Closed 12 years ago
There's no obvious (to users) reason why we're showing yellow-triangle-with-exclamation-point vs. globe, for mixed-content sites
Categories
(Firefox :: Security, defect)
Tracking
()
VERIFIED
FIXED
Firefox 21
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | unaffected |
| firefox21 | + | verified |
People
(Reporter: dholbert, Assigned: tanvi)
References
(Blocks 1 open bug)
Details
(Keywords: regression)
Attachments
(3 files)
screenshot of UI w/ globe
STR: 1. Load these two URLs in different tabs or windows: https://blog.mozilla.org/blog/2013/01/29/mozilla-firefox-flicks-global-video-competition-returns/ https://blog.mozilla.org/blog/2013/01/28/privacy-day-2013/ 2. Compare their favicons. ACTUAL RESULTS: The flicks blog entry shows a yellow exclamation point favicon. The privacy day blog entry shows a globe favicon. EXPECTED RESULTS: They should be consistent. (Both sites have mixed content, so it makes sense that they don't show a lock; but there's no clear reason why one should additionally show a scary exclamation sign and the other should not.)
|
Reporter | |
Comment 1•12 years ago
|
||
Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20130205 Firefox/21.0
|
|
Reporter | |
Comment 2•12 years ago
|
||
bsmith tells me (and looking at the neterror page confirms) that we show the exclamation point UI when we've got mixed _active_ content (e.g. scripts) whereas we show the globe if we've got mixed _display_ content (e.g. images). So that explains the distinction.
|
|
Reporter | |
Comment 3•12 years ago
|
||
|
|
Reporter | |
Comment 4•12 years ago
|
||
|
|
Reporter | |
Comment 5•12 years ago
|
||
So now that I understand comment 2 -- I think my only gripe here is that the current UI doesn't really help users learn what's going on. As shown in the two screenshots I just attached, the warning popup is identical for globe vs. yellow-triangle. (Both just say that the connection is "only partially encrypted".) There's no extra information about what's extra-bad in the the mixed _active_ content situation.
|
|
Reporter | |
Updated•12 years ago
|
Summary: Exclamation point UI is inconsistently shown, for mixed-content sites → There's no obvious (to users) reason why we're showing yellow-triangle-with-exclamation-point vs. globe, for mixed-content sites
|
||
Comment 7•12 years ago
|
||
The problem is that we always change the icon to the triangle when we we load mixed active content, even when mixed active content blocker is disabled. Instead, the icon should only be changed to a triangle mixed active content blocker is enabled.
|
Assignee | |
Comment 8•12 years ago
|
||
(In reply to Brian Smith (:bsmith) from comment #7) > The problem is that we always change the icon to the triangle when we we > load mixed active content, even when mixed active content blocker is > disabled. Instead, the icon should only be changed to a triangle mixed > active content blocker is enabled. The idea to put in the triangle icon predates mixed content blocking (see bug 747090). The reason it wasn't done sooner was because we couldn't distinguish mixed script and mixed display. It was put into nightly for all mixed content and then rolled back until such a time when we could show it for only mixed script. I believe this is the ideal situation: the pref to block mixed active content would be turned on by default for all users and they would see the triangle icon if they disable protection. If they (or an addon they install) goes to about:config and changes the pref and turns it off, they will still see the yellow triangle. We may or may not get to this "ideal" for FF 21. If we don't, we can discuss what to do. If other's have a different idea of what is ideal, please chime in and provide details.
|
|
Reporter | |
Comment 9•12 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #8) > I believe this is the ideal situation: the pref to block mixed active > content would be turned on by default for all users and they would see the > triangle icon if they disable protection. If they (or an addon they > install) goes to about:config and changes the pref and turns it off, they > will still see the yellow triangle. That sounds OK to me, as long as we have clearer distinction between the info panel for a mixed-active-content situation vs. a mixed-display-content situation (as noted at end of comment 5), so that users can tell why they're getting one icon vs. the other.
|
|
Reporter | |
Comment 10•12 years ago
|
||
(s/users/users who have the pref turned off/ (which is currently all users, since the pref is off by default for now))
|
||
Comment 11•12 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #9) > That sounds OK to me, as long as we have clearer distinction between the > info panel for a mixed-active-content situation vs. a mixed-display-content > situation (as noted at end of comment 5), so that users can tell why they're > getting one icon vs. the other. Yes, that will be in the Larry Menu. Here are the proposed strings as of now: Case 1: Mixed Script - blocked and No Mixed Display Icon: lock + shield The connection to this page is secure. Only encrypted content is displayed. Case 2: Mixed Script Blocked + Mixed Display Icon: globe + shield Interactive content (such as scripts) that isn't encrypted have been blocked for your protection. Case 3: Mixed Script - enabled and No Mixed Display Icon: warning This page contains interactive content (such as scripts) that isn't encrypted. Others can view or modify the page's behavior. <Block insecure content> Case 4: Mixed Script Enabled + Mixed Display Icon: Warning This page contains interactive content (such as scripts) that isn't encrypted. Others can view or modify the page's behavior. <Block insecure content> Case 5: Mixed Display only Icon: globe The connection to this page is not fully secure because it contains unencrypted elements (such as images).
|
||
Comment 12•12 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #8) > We may or may not get to this "ideal" for FF 21. If we don't, we can > discuss what to do. I've noticed this too recently, sigh. I didn't realize how this changed the UI without the pref enabled. I think it's important to not suddenly introduce the yellow-triangle icon to users without the associated shield/doorhanger UI. EG, if we don't enable the pref for 21 (or, worse, we do enable it but then disable it later on Aurora/Beta), users should never see the yellow-triangle. I'm significantly less concerned about what happens in the future world where mixed-content is blocked by default, and users only see the icon if they've unblocked content via the doorhanger or flipping the pref.
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
|
||
Comment 13•12 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #8) > We may or may not get to this "ideal" for FF 21. If we don't, we can > discuss what to do. It sounds like we'll either land the changes in comment 11 before our 2/19 merge and consider enabling by default in FF21, or we'll revert to FF20's behavior with mixed content blocking disabled.
|
|
Assignee | |
Comment 14•12 years ago
|
||
The pref isn't going to be turned on for FF 21, so we need to add a patch that shows the globe instead of the shield when security.mixed_content.block_active_content is set to false.
Something like this:
diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -6815,17 +6815,18 @@ var gIdentityHandler = {
let nsIWebProgressListener = Ci.nsIWebProgressListener;
if (location.protocol == "chrome:" || location.protocol == "about:") {
this.setMode(this.IDENTITY_MODE_CHROMEUI);
} else if (state & nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL) {
this.setMode(this.IDENTITY_MODE_IDENTIFIED);
} else if (state & nsIWebProgressListener.STATE_IS_SECURE) {
this.setMode(this.IDENTITY_MODE_DOMAIN_VERIFIED);
} else if (state & nsIWebProgressListener.STATE_IS_BROKEN) {
- if (state & nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT) {
+ if ((state & nsIWebProgressListener.STATE_LOADED_MIXED_ACTIVE_CONTENT) &&
+ gPrefService.getBoolPref("security.mixed_content.block_active_content")) {
this.setMode(this.IDENTITY_MODE_MIXED_ACTIVE_CONTENT);
} else {
this.setMode(this.IDENTITY_MODE_MIXED_CONTENT);
}
} else {
this.setMode(this.IDENTITY_MODE_UNKNOWN);
}|
|
Assignee | |
Comment 15•12 years ago
|
||
Note that I have not tested this yet. I am working on bug 836951 and then will get back to this one.
|
|
Assignee | |
Comment 16•12 years ago
|
||
Comment on attachment 714528 [details] [diff] [review] Don't show triangle icon unless blocking of mixed active content is enabled v1 (In reply to Tanvi Vyas [:tanvi] from comment #15) > Created attachment 714528 [details] [diff] [review] > Don't show triangle icon unless blocking of mixed active content is enabled > v1 > > Note that I have not tested this yet. I am working on bug 836951 and then > will get back to this one. This looks good. r? to Justin and will push to try. We need to land before the merge on Tuesday, but given this is a one line change, I don't think that will be a problem. Note that the pref is only checked if we do infact have mixed content, so I don't think there will be a performance impact with checking the pref.
Attachment #714528 -
Flags: review?(dolske)
|
|
Assignee | |
Comment 17•12 years ago
|
||
Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=cf28d70bcd48
|
|
Assignee | |
Comment 18•12 years ago
|
||
Try looks good; now just waiting for review.
|
|
||
Updated•12 years ago
|
Attachment #714528 -
Flags: review?(dolske) → review+
|
|
Assignee | |
Comment 19•12 years ago
|
||
Thanks Justin! Pushed to inbound: hg.mozilla.org/integration/mozilla-inbound/rev/87478d6bb849
|
||
Comment 20•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/87478d6bb849
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 21
|
||
Comment 21•12 years ago
|
||
Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20130220 Firefox/22.0 With the mixed content prefs set to false (default) both sites now display the globe icon in Firefox Nightly: - mixed active content site (https://blog.mozilla.org/blog/2013/01/29/mozilla-firefox-flicks-global-video-competition-returns/) - mixed display content site (https://blog.mozilla.org/blog/2013/01/28/privacy-day-2013/) displays the globe icon The mixed display content site previously (Firefox <= F20) showed the lock icon. Is this intended now?
|
|
Assignee | |
Comment 22•12 years ago
|
||
(In reply to Virgil Dicu [:virgil] [QA] from comment #21) > Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20130220 Firefox/22.0 > > With the mixed content prefs set to false (default) both sites now display > the globe icon in Firefox Nightly: > - mixed active content site > (https://blog.mozilla.org/blog/2013/01/29/mozilla-firefox-flicks-global- > video-competition-returns/) > - mixed display content site > (https://blog.mozilla.org/blog/2013/01/28/privacy-day-2013/) displays the > globe icon > > The mixed display content site previously (Firefox <= F20) showed the lock > icon. Is this intended now? Mixed display has shown the globe icon for a while (not sure what FF version it started) and this won't change. For Mixed Active Content, if the preference to block mixed active content is turned on, then the content will be blocked and the user will see the shield. If they click on the shield and disable protection, they will see the triangle icon. For Mixed Active Content, if the preference to block mixed active content is not turned on (which is the default right now), the user will see the globe.
|
|
Assignee | |
Updated•12 years ago
|
Blocks: MixedContentBlocker
|
|
||
Comment 23•12 years ago
|
||
Thanks for the prompt explanations, Tanvi. Setting to verified then. Windows, Mac and Ubuntu with Aurora and Nightly. Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20130220 Firefox/22.0
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•