On Wed, Apr 15, 2015 at 3:33 AM, Karl Dubost <kdub...@mozilla.com> wrote: > Le 14 avr. 2015 à 19:29, Henri Sivonen <hsivo...@hsivonen.fi> a écrit : >> Currently, the UI designation for http is neutral while the UI >> designation for mixed content is undesirable. I think we should make >> the UI designation of plain http undesirable once x% the sites that >> users encounter on a daily basis are https. > > What about changing the color of the grey world icon for http into something > which is more telling. > An icon that would mean "eavesdropping possible". but yes UI should be part > of the work.
I indeed meant changing the grey globe icon to something else eventually, but I deliberately wanted to avoid starting a bikeshed in *this* thread about what the new icon should be. Usually something on the theme of the Eye of Sauron comes up in discussion about the icon. > For Web Compatibility, dropping non secure cookies would be an interesting > survey to do and see how much it breaks (or not) the Web and user experience. Note that I didn't propose dropping support for insecure cookies right away. I proposed forgetting (by default) insecure cookies when quitting Firefox. At least at the start, it would probably make sense not to forget cookies from sites that the users has put in the explicit "Allow" category in the cookie manager. AFAICT, this can't "Break the Web" for the usual definition of that phrase, since the forgetting behavior wouldn't be site-detectable in mid-browsing. It would affect the UX on non-https login-requiring sites (including ones whose login is https but whose session cookie is insecure to allow everything except supposedly sensitive things like sending the password or sending a credit card number happen over http due to legacy performance memes), which are, as noted, Doing It Wrong. -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform