I'm not working on Security UX anymore; + the right peeps.

I'm inclined to say we should just not show the EV chip when there isn't enough room for it. I don't think we can come up with a rule for eliding it safely in the general case. We already don't show the EV chip on mobile, so not showing it on small desktop widths seems consistent.

> I'm inclined to say we should just not show the EV chip when there isn't enough room for it.

+1

However, then we're likely to get complaints that Page Info doesn't surface the organization or the issuer. :-(

an easy way to fix that would be to modify the tooltip so that instead of "View site information" it gives an extended version of the text (full ev text). This is what we do for many things, like tabs (the tooltip doesn't say "Switch to this tab") or bookmarks ("go to this bookmark"). Of course it would help if we add that hover affordance to the chip that we've talked about but I still don't think is there yet.

That modification is, in fact, in progress/phrasing being debated elsewhere, as we speak :)

> Of course it would help if we add that hover affordance to the chip that we've talked about but I still don't think is there yet.

That's already on Mac, right? ( Issue 588377 )
Or do you mean something else?

+elawrence is working on another security tooltip change, we should be consistent. on small screens, the tooltip *still* might be too long if the EV text is super long.

my preference in general is also to have the entire text animate down into the lock icon when there is not enough room: https://docs.google.com/presentation/d/1OVXsjFm5DqzxnK97klcJ-qfeBB_nI1DloK9fEoHanGc/edit#slide=id.g16cea66925_1_24

On Mac, we currently show the (unellipsized) text of the security chip in the tooltip in ALL cases.

On Views, the Label control that paints the text of the security chip already has the behavior that if the text has been ellipized, the tooltip is overridden to show the unellipsized text. This leads to the potentially surprising behavior that hovering the lock shows a tooltip of "View site information" while hovering the adjacent text shows "The Washington Post Company (LLC) US" or whatever.

 Issue 692683  was a request to make Views match Mac which nobody likes because it's weird for the tooltip to redundantly repeat the text over which it is hovering in the (common) case where no elision has occurred.

The argument for not eliding text from the end is that the end of the EV string shows the country of issuance, which is deemed an important characteristic of the EV identity for all of the people who smugly assert that they could register "Paypal" in Uruguay and thus spoof victims. By seeing "[US]" on the end, you know that you're dealing with the right company.

From my POV, I'd suggest deeming this "Won't Fix" and just leaving things as they are until this UI no longer exists.

> On Views, the Label control that paints the text of the security chip already has the behavior that if the text has been ellipized, the tooltip is overridden to show the unellipsized text.

ah, you're right. Great! Then I don't think we need to worry about #3.

WontFix is a valid outcome, I just filed this bug to consider being more consistent with the search chip.

I still would prefer to just completely condense the chip into the icon when there isn't enough room instead of ellipsizing. Does anyone disagree?

I think our current behavior (ellipsize rather than hide) is more secure. E.g. for WashingtonPost.com, we show lots of meaningful letters vs. hiding them all. 

Having said that, if we were to migrate to the "show only the icon" approach, it might incentivize websites like the WashingtonPost to do the work to get a sane display string instead of what they're using today.

I'm in favor of hiding the chip rather than ellipsizing. Otherwise we might ellipsize "The Washington Postcard Store into "The Washington Post..." which seems not great.

> seems not great.

I think we all agree that ellipsized text isn't great. The question is what's worse, showing /nothing/ (allowing any secure site, even with a plain DV certificate) to spoof the EV certificate, or showing /elli...xt/ which limits the spoofing potential down to the set of sites that can pass EV vetting with an overlapping string.

I argue that we're better off with the ellipsized text, unless the hiding "penalty" finally forces sites to stop being ridiculous.

I think from an implementation perspective ellipsizing may be easier than hiding.

I tend to prefer ellipsizing over hiding.  Comment 14 is one reason.

Re !4: I'd rather not give people an authoritative positive signal than give them a misleading authoritative positive signal.

I don't know if this warrants its own bug, but we're now shipping a verbose state on mobile ("Offline") that has a similar problem.

We already have Issue 454529 (Origin in omnibox on iOS can be extremely small), but it would be nice if whatever we do here could easily address Android.

Deleted: Screenshot_2017-04-05-11-17-26.png 197 KB

	Screenshot_2017-04-05-11-17-26.png 197 KB View Download

Assigning to estark to get out of the triage queue.

Unassigning myself since I'm not really working on this. I still feel that we should hide the EV chip if there's not room for it, but if we can't come to an agreement on that or if it's not feasible to implement, then I'm okay with WontFixing this.