Mixed Content discoverability proposal
Tanvi Vyas
tanvi at mozilla.com
Wed Aug 7 21:00:50 UTC 2013
Thanks for sending this email Larissa!
> 1. Most sites work fine when mixed content is blocked. We want to make
> the icon as inobtrusive to the user as possible in this case, but give
> him a tiny hint for where he can allow mixed content if necessary
> - Have the icon animate in (e.g. "flash") on page load to call some
> attention
> - Use a Neutral icon once the animation is finished
>
I like this idea.
> 2. There are certain cases in which we know Mixed Content is likely to
> "break" the page (e.g. insecure CSS). Here, we want to give the user a
> stronger clue to where he can allow mixed content
> - Have the icon animate in (e.g. "flash") on page load
> - Have the doorhanger animate in on page load and then disappear
> automatically after a few seconds
> - We need to discuss the proper heuristic for this case. Perhaps we
> have a whitelist of common sites? Maybe if the user visits the site
> the first time, he always gets a disappearing doorhanger? Maybe it's
> after a few site reloads? Maybe we detect which content is broken and
> we show it only for certain content types?
>
Determining which Mixed Content is likely to break a page is a little
bit more tricky. I think CSS is the only content-type we can check for
reliably (i.e. if CSS is blocked, the page most likely is broken). For
other content-types that we block (script, object, iframe) it is less
cut and dry. Are we blocking an ad or analytics, or are we breaking
page functionality? XHR may be the only other content-type we could
lump into the "if we are blocking this we are probably breaking the
page" category.
I want to avoid creating and maintaing whitelist of common sites if
possible. I think we should only do this if it becomes clear that it is
necessary (we get an overwhelming number of reports for the same third
party content that is blocked). From the bugs we have so far, youtube
is the only third party that stands out. Youtube has updated their
"share" code to include a protocol relative url to help alleviate this
problem for future embeds (though there is still one place where they
are using http://; I've contacted them about this).
We may be able to create a heuristic based on number of page visits or
reloads, but this may be difficult to implement. Again, I would avoid
doing this unless it becomes clear we need to. I would start off with
number 1) above and maybe that will be enough. If not, we can special
case CSS and XHR with an animating doorhanger that disappears after a
few seconds. And if that is still not enough, start looking at other
heuristics.
Also, I think the number of Mixed Content websites will decrease over
time (telemetry will tell us if that becomes true) and if so, the need
to create complicated heuristics will disappear.
So in conclusion, I think we should start with animating the icon on
page load and go from there.
Thanks!
~Tanvi
On 8/6/13 6:19 PM, Larissa Co wrote:
> Email #3: On the discoverability of Mixed Content permissions. Again,
> let's narrow the scope of this thread to purely discoverability issues
> for now, please! (We're discussing other interaction improvements
> right now)
>
> You can find the overview of the proposal on pg. 12 of
> http://people.mozilla.com/~lco/Permissions%20UI/130806%20design%20patterns-permissions%20UI.pdf
>
> The issue with Mixed Content discoverability is a bit simpler:
>
> 1. Most sites work fine when mixed content is blocked. We want to make
> the icon as inobtrusive to the user as possible in this case, but give
> him a tiny hint for where he can allow mixed content if necessary
> - Have the icon animate in (e.g. "flash") on page load to call some
> attention
> - Use a Neutral icon once the animation is finished
>
> 2. There are certain cases in which we know Mixed Content is likely to
> "break" the page (e.g. insecure CSS). Here, we want to give the user a
> stronger clue to where he can allow mixed content
> - Have the icon animate in (e.g. "flash") on page load
> - Have the doorhanger animate in on page load and then disappear
> automatically after a few seconds
> - We need to discuss the proper heuristic for this case. Perhaps we
> have a whitelist of common sites? Maybe if the user visits the site
> the first time, he always gets a disappearing doorhanger? Maybe it's
> after a few site reloads? Maybe we detect which content is broken and
> we show it only for certain content types?
>
> Again, once we've been able to discuss this proposal, I'll file the
> necessary bugs.
>
> Thanks,
> Larissa
>
More information about the firefox-dev
mailing list