Elide www. and m. subdomains |
||||||||||||
Issue descriptionFiling in response to an email discussion between palmer, ainslie, owencm and felt. A proposal came up to elide www and m subdomains in the omnibox and on related surfaces. In the screenshot attached this would lead to flipkart and quora being shown like medium. Palmer: "our standard guidance (https://www.chromium.org/Home/chromium-security/enamel#TOC-Eliding-Origin-Names-And-Hostnames) allows for the possibility of eliding an origin display down to the effective top-level domain (eTLD) + DNS label below that. In the case of www.flipkart.com, .com is the eTLD, flipkart is the +1, and so the www could go away. (In the case of www.example.co.uk, ".co.uk" is the eTLD, and it could be elided down to "example.co.uk".) ... I would prefer to elide only (a) out of necessity (screen real estate); or (b) the special cases of "www" and "m". The reason is that, although they have the same eTLD + 1, accounts.google.com, mail.google.com, and www.google.com are very different applications with very different security properties and requirements."
,
Apr 28 2016
,
Apr 28 2016
,
Apr 28 2016
,
Apr 28 2016
FYI, I think Safari already does this.
,
May 3 2016
,
May 4 2016
I haven't seen this addressed anywhere, but how does this affect permissions and other UI? The "obvious" thing to me is to change the representation only in the omnibox but keep all other internals the same. However, this means that three are different origins (which may have different permissions, cookies, and other properties) that we pretend are the same to the user in one place, but not other places. In particular, if permissions are still scoped by origin, then we should show the correct origin in permission prompts and page info – but this will be inconsistent with the omnibox. And if they grant a permission while the omnibox shows "quora.com", it may actually show up in settings under "www.quora.com". (And if you want to change how permissions are stored by e.g. coalescing these origins, that is a very non-trivial change that will require more discussion.) Sites can already host content at the eTLD+1 origin if they care about it for the user experience. The slides only state that www "doesn’t provide much value to users". Is there more background/data on why we should do this?
,
May 5 2016
Really great question. The "obvious" answer is what's under consideration. Besides "not providing much value", I'd argue that most users don't understand any implications of seeing "www" or "m". Eliding them yields a simpler and more understandable UI. Ainslie has some more thoughts on origin readability here: https://docs.google.com/presentation/d/1PyxiCQ1O1bvLHTvMOY8IT-SSe6sr7M6aZ3Y1EgXsuzQ/edit#slide=id.g1296ab7fb8_0_21
,
Nov 23 2016
,
Dec 12 2016
,
Jan 6 2017
I'm not working on security UX anymore. (Also, is this for mobile only, or for all platforms?)
,
Jan 6 2017
All. I'll take this one for now -- the work will be done by the new omnibox team.
,
Nov 10 2017
,
Feb 18 2018
,
Aug 1
|
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ainslie@chromium.org
, Apr 28 2016135 KB
135 KB View Download