Security/Reviews/bug588270

From MozillaWiki
Jump to navigation Jump to search
Please use "Edit with form" above to edit this page.

Item Reviewed

Reduce redundancy with the favicons in the address bar and location bar
Target 588270 // ** supporting info: https://heatmap.mozillalabs.com/

{{#set:SecReview name=Reduce redundancy with the favicons in the address bar and location bar |SecReview target=588270 // ** supporting info: https://heatmap.mozillalabs.com/ }}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • remove favicon from url bar
    • also removes site identity when there is no favicon
  • trying to solve some user confusion over missing favicon that may confuse users with conditional fwd button

What solutions/approaches were considered other than the proposed solution?

  • leave as is

Why was this solution chosen?

  • need to make things clearer for users

Any security threats already considered in the design and why?

  • favicons that look like a lock or browser-fwd button

Threat Brainstorming

  • some concern over nothing being there for non-ssl sites
    • need something to convey state, fine with lock not being there
    • Sites can't make their own lock icon anymore, so that's good
  • how do we convey mixed mode?
    • current problem, this bug is not to address that but may make this problem worse as there is no button now
    • add-ons could update this area but are not a full solution

{{#set: SecReview feature goal=* remove favicon from url bar

    • also removes site identity when there is no favicon
  • trying to solve some user confusion over missing favicon that may confuse users with conditional fwd button

|SecReview alt solutions=* leave as is |SecReview solution chosen=* need to make things clearer for users |SecReview threats considered=* favicons that look like a lock or browser-fwd button |SecReview threat brainstorming=* some concern over nothing being there for non-ssl sites

    • need something to convey state, fine with lock not being there
    • Sites can't make their own lock icon anymore, so that's good
  • how do we convey mixed mode?
    • current problem, this bug is not to address that but may make this problem worse as there is no button now
    • add-ons could update this area but are not a full solution

}}

Action Items

Action Item Status None
Release Target Firefox 12
Action Items
* user study on how users percieve the UI in this model (future, not for this bug/review) -- does this UI change alter how they perceive the security of a site

{{#set:|SecReview action item status=None

|Feature version=Firefox 12 |SecReview action items=* user study on how users percieve the UI in this model (future, not for this bug/review) -- does this UI change alter how they perceive the security of a site }}

Other topics out of scope

  • Use of the door hanger for other information

-is it a phishing site? -have you visited it before

  • Do we want to distinguish between scripts over http vs other content (ex: images) over http
  • surfacing the web forgery report