Closed Bug 902691 Opened 11 years ago Closed 11 years ago

Add a "Learn More" link to HSTS security console messages

Categories

(DevTools :: Console, defect)

x86
All
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
Firefox 26

People

(Reporter: ialagenchev, Assigned: ialagenchev)

References

Details

Attachments

(1 file, 2 obsolete files)

Bug 846918 landed before we started adding the "Learn More" link to security related warning messages. We need to write a MDN page that provides more information about Strict Transport Security and link to it from the warning message. This should be as easy as adding a new logical branch in addMoreInfoLink in browser/devtools/webconsole/webconsole.js and reusing some of the content for these blogposts: https://blog.mozilla.org/security/2012/12/26/http-strict-transport-security-2/ https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ or reusing and perhaps adding more content to this mdn page: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
Blocks: 863874
Component: Developer Tools → Developer Tools: Console
Depends on: 875456
Assignee: nobody → alagenchev
Attached patch 902691.patch (obsolete) — Splinter Review
Attachment #789262 - Flags: review?(mihai.sucan)
Comment on attachment 789262 [details] [diff] [review] 902691.patch Review of attachment 789262 [details] [diff] [review]: ----------------------------------------------------------------- Thank you! This is looking good. ::: browser/devtools/webconsole/webconsole.js @@ +40,5 @@ > const MIXED_CONTENT_LEARN_MORE = "https://developer.mozilla.org/en/Security/MixedContent"; > > const INSECURE_PASSWORDS_LEARN_MORE = "https://developer.mozilla.org/en-US/docs/Security/InsecurePasswords"; > > +const STRICT_TRANSPORT_SECURITY_LEARN_MORE = "https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security"; Please remove the /en-US/ part to allow MDN to redirect the user to the page that best fits user's regional settings. @@ +1401,5 @@ > } else if (aScriptError.category == "Mixed Content Message" || > aScriptError.category == "Mixed Content Blocker") { > url = MIXED_CONTENT_LEARN_MORE; > + } else if (aScriptError.category == "Invalid HSTS Headers") { > + url = STRICT_TRANSPORT_SECURITY_LEARN_MORE; nit: this function is growing now. Wouldn't it make sense to change these ifs into a switch block with cases for aScriptError.category? should be easier to follow...
Attachment #789262 - Flags: review?(mihai.sucan) → review+
(In reply to Mihai Sucan [:msucan] from comment #2) > Comment on attachment 789262 [details] [diff] [review] > 902691.patch > > Review of attachment 789262 [details] [diff] [review]: > ----------------------------------------------------------------- > > Thank you! This is looking good. > > ::: browser/devtools/webconsole/webconsole.js > @@ +40,5 @@ > > const MIXED_CONTENT_LEARN_MORE = "https://developer.mozilla.org/en/Security/MixedContent"; > > > > const INSECURE_PASSWORDS_LEARN_MORE = "https://developer.mozilla.org/en-US/docs/Security/InsecurePasswords"; > > > > +const STRICT_TRANSPORT_SECURITY_LEARN_MORE = "https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security"; > > Please remove the /en-US/ part to allow MDN to redirect the user to the page > that best fits user's regional settings. > > @@ +1401,5 @@ > > } else if (aScriptError.category == "Mixed Content Message" || > > aScriptError.category == "Mixed Content Blocker") { > > url = MIXED_CONTENT_LEARN_MORE; > > + } else if (aScriptError.category == "Invalid HSTS Headers") { > > + url = STRICT_TRANSPORT_SECURITY_LEARN_MORE; > > nit: this function is growing now. Wouldn't it make sense to change these > ifs into a switch block with cases for aScriptError.category? should be > easier to follow... Once 875456 lands, I will change the if block to switch statements and also replace all of the learn more links to use the non-region specific links. Thanks for pointing those out.
Attached patch 902691.patch (obsolete) — Splinter Review
Attachment #789262 - Attachment is obsolete: true
Attachment #796372 - Flags: review+
Attached patch 902691.patchSplinter Review
New patch since some tests turned out to be checking for the wrong url. New tbpl run: https://tbpl.mozilla.org/?tree=Try&rev=87c8235307c7
Attachment #796372 - Attachment is obsolete: true
Attachment #796886 - Flags: review+
Keywords: checkin-needed
Flags: in-testsuite+
Keywords: checkin-needed
Whiteboard: [fixed-in-fx-team]
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Target Milestone: --- → Firefox 26
As part of this bug, shouldn't we update https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security to include a section that clearly explains the webconsole error/warning and provides guidance on how to fix the issue?
(In reply to Tanvi Vyas [:tanvi] from comment #9) > As part of this bug, shouldn't we update > https://developer.mozilla.org/en-US/docs/Security/ > HTTP_Strict_Transport_Security to include a section that clearly explains > the webconsole error/warning and provides guidance on how to fix the issue? I think that's a good idea. We can probably add a section about web console messages and describe common causes.
(In reply to Ivan Alagenchev :ialagenchev from comment #10) > (In reply to Tanvi Vyas [:tanvi] from comment #9) > > As part of this bug, shouldn't we update > > https://developer.mozilla.org/en-US/docs/Security/ > > HTTP_Strict_Transport_Security to include a section that clearly explains > > the webconsole error/warning and provides guidance on how to fix the issue? > > I think that's a good idea. We can probably add a section about web console > messages and describe common causes. Another strategy could be to have pages dedicated to being the destinations of embedded "learn more" links that would have short descriptions, but heavily link to other pages of MDN. You may want to discuss with the MDN team for a convention that would allow tracking of when people go to MDN from the console. Something like ?from=console at the end of URLs. Anyway, happy to discuss linking and page organisation strategy at https://lists.mozilla.org/listinfo/dev-mdc
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: