"Load unsafe scripts" UI is too subtle
Reported by
dan...@orodu.net,
Jan 7 2018
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Steps to reproduce the problem: 1. Go to https://chuo.fm/show/rockers/ 2. Scroll down and click one of the dates on the left What is the expected behavior? The page or the browser responds visibly to the click What went wrong? Nothing happens on the page, and the browser only places a small icon in the omnibox. There is nothing to draw attention to this icon, and I doubt users will find it, nor know what to do with it. Did this work before? Yes In M62 the page simply worked, now its blocked behind this undiscoverable icon Chrome version: 63.0.3239.132 Channel: stable OS Version: 10.0 Flash Version: Please make it clear to users that the browser has blocked something on the page and how they can make the page work. Punish developers for bad SSL practices, not users.
,
Jan 7 2018
,
Jan 8 2018
Able to reproduce the issue on Mac 10.12.6, Win-10 and Ubuntu 14.04 using chrome reported version #63.0.3239.132 and latest canary #65.0.3314.0. This is a non-regression issue as it is observed from M50 old builds. Attaching screenshot for reference from M-50 version. Hence, marking it as untriaged to get more inputs from dev team. Thanks...!!
,
Jan 8 2018
,
Jan 12 2018
Thanks for the report. Adding PMily and SWEmily for thoughts.
,
Jan 29 2018
This UI is deliberately subtle. The indicator could also be titled "Shoot self in face" and I think we're more likely to want to remove it than make it more prominent.
,
Jan 29 2018
I appreciate that but it also breaks existing web content, and in this case had me switching to use edge instead of chromium, which is a much larger "shooting self" as you put it IMO.
,
Feb 9 2018
I don't think we have concrete plans to make this more obvious, and indeed, the site has the (i) icon next to the URL to indicate that the HTTPS setup isn't correct. You can avoid this problem all together by correctly loading the unsafe scripts over HTTPS like the rest of the page. Then there is no need to load unsafe scripts at all. :)
,
Feb 9 2018
> I don't think we have concrete plans to make this more obvious, and indeed, the site has the (i) icon next to the URL to indicate that the HTTPS setup isn't correct. That's unfortunate. To most users it will only appear that this page is broken in Chrome. > You can avoid this problem all together by correctly loading the unsafe scripts over HTTPS like the rest of the page. Then there is no need to load unsafe scripts at all. :) Can you explain what you mean? How do I go about doing this when using a site such as this?
,
Feb 9 2018
#9, ah sorry, I thought that the site was your site. The problem is they have some data loaded over HTTPS, but also load JavaScript over HTTP, which compromises the security of using HTTPS. We are progressively working to mark HTTP as less secure in order to protect users, and part of that work is to try and incentivise sites to not have these fallbacks. Other browser vendors are also pursuing these goals in order to help improve the security of the web.
,
Feb 9 2018
Ok yeah I get that, but this doesn't feel like it's in a good place for users to make choices atm. Like there are websites where I wanna not use http over https and it matters a lot. But here I wanna listen to music and I don't care if it's not secure, you know? So it just feels broken when it doesn't work, and I had no idea how to fix it until I noticed how in edge and came back to see. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dan...@orodu.net
, Jan 7 2018623 KB
623 KB View Download
500 KB
500 KB View Download