safebrowsing checks on 3rd party sources don't warn user

RESOLVED WONTFIX

Status

()

Toolkit
Safe Browsing
RESOLVED WONTFIX
5 years ago
5 years ago

People

(Reporter: mmc, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

From Adrienne Felt: 

Firefox no longer displays the Safe Browsing interstitial warning when a "clean" (unlisted) top level domain loads a resource on the SB list. Instead, the third-party resource is silently blocked and no warning is shown.

This means Chrome and FF now have divergent behavior. It's not clear when/if this behavior ever worked.

Test site: http://adrienneporterfelt.com/test1/index.html
Adding dolske, the last person to touch http://hg.mozilla.org/mozilla-central/log/tip/browser/base/content/report-phishing-overlay.xul

Adrienne says dveditz pointed devd at https://bugzilla.mozilla.org/show_bug.cgi?id=549241 but that bug is a million years old. dveditz, devd, did you mean another bug?
I thought this is a feature, not a bug. When Dan and I discussed this, Dan said there should be a warning in the console. Interstitial warnings only annoy our users.
So, has Firefox ever worked as Chrome behaves?

I've got no problem blocking aggressively, but it seems wrong to modify page contents without giving any user-accessible insight as to why (doesn't have to be an interstitial).
Yes, bug 441359 blocked all resource loads with warning. Bug 549241 blocked them silently.

I agree that the user should be notified, ideally with a message on the console. The title of the bug made me think that returning to interstitial is being considered.
OK, thanks for the background. Since this has been the behavior for the past 3 years, this is not a regression, and I think the discussion how to handle automatically blocking resources is beyond the scope of this bug.

I think similar issues arise with mixed content blocking which appears to have had a long trajectory in UX/eng collaboration, and will follow up with lco and tanvi whether or not this is worth pursuing.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Resolution: FIXED → WONTFIX
I am not sure if WONTFIX is the right resolution. How about opening it up and retitling it to "safebrowsing blocks should notify the user". 


Notifications could be a warning on the webconsole or an infobar "firefox protected you. Please notify the web admin" or something like that. I am only opposed to an interstitial.
Hi Dev,

I think the number of users who would benefit from a webconsole warning is vanishingly small.

We currently have 3 ways of blocking content that I know of: safebrowsing checks, click-to-play, and mixed content. I think that adding yet another UI for this check without considering how all of these checks affect the user experience for blocked content, is the wrong thing to do.

My feeling is that this bug is both low urgency, because it's not a regression and has been in place for years, and low severity, because I haven't seen evidence that a large enough number of sites are affected to justify changing this. I also don't believe in unowned, low priority bugs.

If you disagree, then you are welcome to take ownership or find another owner.

Thanks,
Monica
Summary: safebrowsing checks on 3rd party sources no longer show interstitial → safebrowsing checks on 3rd party sources don't warn user
I think WONTFIX is fine -- given that we've always worked this way without it having come up as an issue before, I don't think it's very likely that we'd invest resources in implementing a change.
You need to log in before you can comment on or make changes to this bug.