[browser] Various issues with security UI's
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Fix Released
|
Undecided
|
Olivier Tilloy | ||
Ubuntu UX |
Fix Released
|
High
|
Rae Shambrook | ||
webbrowser-app |
Fix Released
|
High
|
Olivier Tilloy | ||
webbrowser-app (Ubuntu) |
Fix Released
|
Undecided
|
Olivier Tilloy | ||
webbrowser-app (Ubuntu RTM) |
Fix Released
|
Undecided
|
Olivier Tilloy |
Bug Description
I've not done a proper review on this yet, but there are a few issues I've noticed just from using the browser:
- The certificate error UI is displayed for all errors, but it should only be displayed for main frame document errors (CertificateErr
- When accepting an error, the certificate fingerprint seems to be whitelisted by the browser. This is not safe - what happens if the user navigates to a genuinely malicious site that happens to use the same certificate? If you want to whitelist them, you must also record the domain that the error originated from and the error code, and only automatically allow the error if the domain + error code + fingerprints match
- When accepting an error, there is no visual cue in the header bar that you're on a site with security errors.
- If you press the stop icon in the addressbar whilst the certificate error UI is displayed, the pending navigation is cancelled (returning to the previous committed navigation), but the certificate error UI is not removed. There is a CertificateErro
- There doesn't seem to be any indicator when you go to a site that has an EV certificate
--- UX Comment ---
Additional wireframe for top bar displaying warning when certificate identity is not verified
https:/
For EV certificate, just display EV information in the pop-over
Related branches
- PS Jenkins bot: Needs Fixing (continuous-integration)
- Chris Coulson: Approve
- Michael Sheldon: Pending requested
- Ubuntu Phablet Team: Pending requested
-
Diff: 279 lines (+155/-20)5 files modifiedsrc/app/UrlUtils.js (+43/-0)
src/app/WebViewImpl.qml (+1/-12)
src/app/webbrowser/Browser.qml (+50/-4)
src/app/webbrowser/Chrome.qml (+4/-4)
tests/unittests/qml/tst_UrlUtils.qml (+57/-0)
description: | updated |
description: | updated |
Changed in webbrowser-app: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Michael Sheldon (michael-sheldon) |
Changed in webbrowser-app: | |
assignee: | Michael Sheldon (michael-sheldon) → Olivier Tilloy (osomon) |
Changed in webbrowser-app: | |
status: | Triaged → In Progress |
Changed in webbrowser-app (Ubuntu): | |
status: | New → In Progress |
Changed in webbrowser-app (Ubuntu RTM): | |
status: | New → Confirmed |
Changed in webbrowser-app (Ubuntu): | |
assignee: | nobody → Olivier Tilloy (osomon) |
Changed in webbrowser-app (Ubuntu RTM): | |
assignee: | nobody → Olivier Tilloy (osomon) |
Changed in ubuntu-ux: | |
status: | New → Triaged |
assignee: | nobody → Giorgio Venturi (giorgio-venturi) |
importance: | Undecided → High |
description: | updated |
Changed in ubuntu-ux: | |
status: | Triaged → Fix Committed |
Changed in canonical-devices-system-image: | |
milestone: | none → ww05-2015 |
status: | New → Fix Released |
Changed in canonical-devices-system-image: | |
assignee: | nobody → Olivier Tilloy (osomon) |
Changed in ubuntu-ux: | |
assignee: | Giorgio Venturi (giorgio-venturi) → Rae Shambrook (raecontreras) |
Changed in ubuntu-ux: | |
status: | Fix Committed → Fix Released |
For point 4, there is actually an Oxide bug too (bug 1377198)