[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
On Thu, Sep 17, 2009 at 3:03 PM, Peter Kasting wrote: > It's disappointing to me that this change was made without any bug in the > bug database linked, and without any input from a member of the UI team, > despite the code reviewer (abarth) explicitly wondering about getting UI > review. Glen recently moved this dialog so that's it's now four clicks away from the main UI. That certainly starts to put it in the realm of trival UI changes. Also, the dialog is already concerned with things that our users don't know about (like 'cookies') and it has sensible default if you don't know what it means. I'm more bothered that people who care about their privacy have the ability to control the information we store about them. AGL --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
Thanks for bringing this up Peter. I don't know what this checkbox is, I've never heard of it. Regardless of the fact that it's N hops away from the main window, we should not be making user visible changes without copying the UX team. Whoever added this UI, please remove it before I have to when I get back next week. Thanks. -Ben On Thu, Sep 17, 2009 at 3:03 PM, Peter Kasting wrote: > http://src.chromium.org/viewvc/chrome?view=rev&revision=25955 added a "Clear > Strict-Transport-Security state" checkbox to the "Clear browsing data" > dialog. > It's disappointing to me that this change was made without any bug in the > bug database linked, and without any input from a member of the UI team, > despite the code reviewer (abarth) explicitly wondering about getting UI > review. I know that my personal opinion is that this checkbox is wholly > inappropriate as approximately 0% of our users will have any idea what it > means. (I sure didn't before reading the code.) > For the issue at hand, I'd like to hear from agl on why users have to see > this, and if we can't just "do the right thing automatically" or at least > have more hidden control (e.g. a command-line switch, or something in the > Under The Hood options), as well as hearing from beng as the UI lead on > whether this is fine or not. > In general, please take this as a reminder that nontrivial changes should > have relevant bugs, and UI-affecting changes should be OKed by the UI team. > PK --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) wrote: > Whoever added this UI, please remove it before I have to when I get > back next week. Very well, reverting. AGL --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
Thanks! On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley wrote: > On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) > wrote: >> Whoever added this UI, please remove it before I have to when I get >> back next week. > > Very well, reverting. > > > AGL > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
On Thu, Sep 17, 2009 at 3:31 PM, Adam Langley wrote: > > On Thu, Sep 17, 2009 at 3:03 PM, Peter Kasting wrote: >> It's disappointing to me that this change was made without any bug in the >> bug database linked, and without any input from a member of the UI team, >> despite the code reviewer (abarth) explicitly wondering about getting UI >> review. > > Glen recently moved this dialog so that's it's now four clicks away > from the main UI. That certainly starts to put it in the realm of > trival UI changes. Also, the dialog is already concerned with things > that our users don't know about (like 'cookies') and it has sensible > default if you don't know what it means. > > I'm more bothered that people who care about their privacy have the > ability to control the information we store about them. Advanced users (including me) know what everything means in that dialog except the checkbox, and it's very scary and obscure sounding. I agree with Peter that it should not have gone in. Brett --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley wrote: > > On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) > wrote: >> Whoever added this UI, please remove it before I have to when I get >> back next week. > > Very well, reverting. Why not #ifdef around it? I fear if you revert you'll never check it in again. --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin wrote: > > On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley wrote: >> >> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) >> wrote: >>> Whoever added this UI, please remove it before I have to when I get >>> back next week. >> >> Very well, reverting. > > Why not #ifdef around it? I fear if you revert you'll never check it in > again. If that happens, it's the best possible argument that this is a silly thing to add. Brett --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
On Thu, Sep 17, 2009 at 3:31 PM, Adam Langley wrote: > I'm more bothered that people who care about their privacy have the > ability to control the information we store about them. > At the bottom of "Under the Hood" is a button called "Reset to Defaults". This is what we hook to all of the tiny bits of state that we don't give users direct control over. It may be appropriate for you to wire your state reset function up to this button. PK --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson wrote: > On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin wrote: >> >> On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley wrote: >>> >>> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) >>> wrote: Whoever added this UI, please remove it before I have to when I get back next week. >>> >>> Very well, reverting. >> >> Why not #ifdef around it? I fear if you revert you'll never check it in >> again. > > If that happens, it's the best possible argument that this is a silly > thing to add. No, it's just the argument that it's not the sort of thing people are willing to expend the energy to argue about. With this sort of response I'd be tempted to just give up on the patch. --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
+1 to what Peter is saying. Like Brett, I have no clue what this checkbox means and think it shouldn't have been added. However, the question I have... is it appropriate to tuck this in with something like deleting the history (like we do with last session, recently closed tabs, autogenerated keywords, etc)? It is hard for me to evaluate that, not knowing what this does... :) -F On Thu, Sep 17, 2009 at 16:09, Evan Martin wrote: > > On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson wrote: > > On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin wrote: > >> > >> On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley wrote: > >>> > >>> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) < > b...@chromium.org> wrote: > Whoever added this UI, please remove it before I have to when I get > back next week. > >>> > >>> Very well, reverting. > >> > >> Why not #ifdef around it? I fear if you revert you'll never check it in > again. > > > > If that happens, it's the best possible argument that this is a silly > > thing to add. > > No, it's just the argument that it's not the sort of thing people are > willing to expend the energy to argue about. With this sort of > response I'd be tempted to just give up on the patch. > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
For those of us who are curious, could someone explain what this does? Erik On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson wrote: > +1 to what Peter is saying. > Like Brett, I have no clue what this checkbox means and think it shouldn't > have been added. > However, the question I have... is it appropriate to tuck this in with > something like deleting the history (like we do with last session, recently > closed tabs, autogenerated keywords, etc)? > It is hard for me to evaluate that, not knowing what this does... :) > -F > > On Thu, Sep 17, 2009 at 16:09, Evan Martin wrote: >> >> On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson wrote: >> > On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin wrote: >> >> >> >> On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley wrote: >> >>> >> >>> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) >> >>> wrote: >> Whoever added this UI, please remove it before I have to when I get >> back next week. >> >>> >> >>> Very well, reverting. >> >> >> >> Why not #ifdef around it? I fear if you revert you'll never check it >> >> in again. >> > >> > If that happens, it's the best possible argument that this is a silly >> > thing to add. >> >> No, it's just the argument that it's not the sort of thing people are >> willing to expend the energy to argue about. With this sort of >> response I'd be tempted to just give up on the patch. >> >> > > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
It clears the list of hosts in StrictTransportSecurityState: // StrictTransportSecurityState // // Tracks which hosts have enabled StrictTransportSecurityState. After a host // enables StrictTransportSecurityState, then we refuse to talk to the host // over HTTP, treat all certificate errors as fatal, and refuse to load any // mixed content. // rsesek / @chromium.org On Thu, Sep 17, 2009 at 7:28 PM, Erik Kay wrote: > > For those of us who are curious, could someone explain what this does? > > Erik > > > On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson > wrote: > > +1 to what Peter is saying. > > Like Brett, I have no clue what this checkbox means and think it > shouldn't > > have been added. > > However, the question I have... is it appropriate to tuck this in with > > something like deleting the history (like we do with last session, > recently > > closed tabs, autogenerated keywords, etc)? > > It is hard for me to evaluate that, not knowing what this does... :) > > -F > > > > On Thu, Sep 17, 2009 at 16:09, Evan Martin wrote: > >> > >> On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson > wrote: > >> > On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin > wrote: > >> >> > >> >> On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley > wrote: > >> >>> > >> >>> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) > >> >>> wrote: > >> Whoever added this UI, please remove it before I have to when I get > >> back next week. > >> >>> > >> >>> Very well, reverting. > >> >> > >> >> Why not #ifdef around it? I fear if you revert you'll never check it > >> >> in again. > >> > > >> > If that happens, it's the best possible argument that this is a silly > >> > thing to add. > >> > >> No, it's just the argument that it's not the sort of thing people are > >> willing to expend the energy to argue about. With this sort of > >> response I'd be tempted to just give up on the patch. > >> > >> > > > > > > > > > > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
There's a published paper about it too: http://www.adambarth.com/papers/2008/jackson-barth.pdf On Thu, Sep 17, 2009 at 4:34 PM, Robert Sesek wrote: > It clears the list of hosts in StrictTransportSecurityState: > > // StrictTransportSecurityState > // > // Tracks which hosts have enabled StrictTransportSecurityState. After a > host > // enables StrictTransportSecurityState, then we refuse to talk to the host > // over HTTP, treat all certificate errors as fatal, and refuse to load any > // mixed content. > // > > rsesek / @chromium.org > > On Thu, Sep 17, 2009 at 7:28 PM, Erik Kay wrote: >> >> For those of us who are curious, could someone explain what this does? >> >> Erik >> >> >> On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson >> wrote: >> > +1 to what Peter is saying. >> > Like Brett, I have no clue what this checkbox means and think it >> > shouldn't >> > have been added. >> > However, the question I have... is it appropriate to tuck this in with >> > something like deleting the history (like we do with last session, >> > recently >> > closed tabs, autogenerated keywords, etc)? >> > It is hard for me to evaluate that, not knowing what this does... :) >> > -F >> > >> > On Thu, Sep 17, 2009 at 16:09, Evan Martin wrote: >> >> >> >> On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson >> >> wrote: >> >> > On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin >> >> > wrote: >> >> >> >> >> >> On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley >> >> >> wrote: >> >> >>> >> >> >>> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) >> >> >>> wrote: >> >> Whoever added this UI, please remove it before I have to when I >> >> get >> >> back next week. >> >> >>> >> >> >>> Very well, reverting. >> >> >> >> >> >> Why not #ifdef around it? I fear if you revert you'll never check >> >> >> it >> >> >> in again. >> >> > >> >> > If that happens, it's the best possible argument that this is a silly >> >> > thing to add. >> >> >> >> No, it's just the argument that it's not the sort of thing people are >> >> willing to expend the energy to argue about. With this sort of >> >> response I'd be tempted to just give up on the patch. >> >> >> >> >> > >> > >> > > >> > >> >> > > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
There's a slight race condition in making various things public. Basically, this is a mechanism a high-security site can use to signal to the browser that it would like strict handling of HTTPS errors. For example, when the site opts into this features, HTTPS certificate errors will be treated as fatal to the connection. More details will be surfacing soon in the form of an standards-track specification. Adam On Thu, Sep 17, 2009 at 4:28 PM, Erik Kay wrote: > > For those of us who are curious, could someone explain what this does? > > Erik > > > On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson > wrote: >> +1 to what Peter is saying. >> Like Brett, I have no clue what this checkbox means and think it shouldn't >> have been added. >> However, the question I have... is it appropriate to tuck this in with >> something like deleting the history (like we do with last session, recently >> closed tabs, autogenerated keywords, etc)? >> It is hard for me to evaluate that, not knowing what this does... :) >> -F >> >> On Thu, Sep 17, 2009 at 16:09, Evan Martin wrote: >>> >>> On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson wrote: >>> > On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin wrote: >>> >> >>> >> On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley wrote: >>> >>> >>> >>> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) >>> >>> wrote: >>> Whoever added this UI, please remove it before I have to when I get >>> back next week. >>> >>> >>> >>> Very well, reverting. >>> >> >>> >> Why not #ifdef around it? I fear if you revert you'll never check it >>> >> in again. >>> > >>> > If that happens, it's the best possible argument that this is a silly >>> > thing to add. >>> >>> No, it's just the argument that it's not the sort of thing people are >>> willing to expend the energy to argue about. With this sort of >>> response I'd be tempted to just give up on the patch. >>> >>> >> >> >> > >> > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
FYI: Mac does have this dialog, and it's actually 1 click away, as the there is a menu item in the menu bar to directly invoke it (since Safari and Firefox have menubar entries for this). TVL On Thu, Sep 17, 2009 at 8:20 PM, Adam Barth wrote: > > There's a slight race condition in making various things public. > Basically, this is a mechanism a high-security site can use to signal > to the browser that it would like strict handling of HTTPS errors. > For example, when the site opts into this features, HTTPS certificate > errors will be treated as fatal to the connection. > > More details will be surfacing soon in the form of an standards-track > specification. > > Adam > > > On Thu, Sep 17, 2009 at 4:28 PM, Erik Kay wrote: > > > > For those of us who are curious, could someone explain what this does? > > > > Erik > > > > > > On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson > > wrote: > >> +1 to what Peter is saying. > >> Like Brett, I have no clue what this checkbox means and think it > shouldn't > >> have been added. > >> However, the question I have... is it appropriate to tuck this in with > >> something like deleting the history (like we do with last session, > recently > >> closed tabs, autogenerated keywords, etc)? > >> It is hard for me to evaluate that, not knowing what this does... :) > >> -F > >> > >> On Thu, Sep 17, 2009 at 16:09, Evan Martin wrote: > >>> > >>> On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson > wrote: > >>> > On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin > wrote: > >>> >> > >>> >> On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley > wrote: > >>> >>> > >>> >>> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) > >>> >>> wrote: > >>> Whoever added this UI, please remove it before I have to when I > get > >>> back next week. > >>> >>> > >>> >>> Very well, reverting. > >>> >> > >>> >> Why not #ifdef around it? I fear if you revert you'll never check > it > >>> >> in again. > >>> > > >>> > If that happens, it's the best possible argument that this is a silly > >>> > thing to add. > >>> > >>> No, it's just the argument that it's not the sort of thing people are > >>> willing to expend the energy to argue about. With this sort of > >>> response I'd be tempted to just give up on the patch. > >>> > >>> > >> > >> > >> > > >> > > > > > > > > > > > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
In case you're still wondering about this topic, a draft of the spec is now public: http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html Apparently an announcement message is also en-route to the W3C WebApps working group. Adam On Thu, Sep 17, 2009 at 5:20 PM, Adam Barth wrote: > There's a slight race condition in making various things public. > Basically, this is a mechanism a high-security site can use to signal > to the browser that it would like strict handling of HTTPS errors. > For example, when the site opts into this features, HTTPS certificate > errors will be treated as fatal to the connection. > > More details will be surfacing soon in the form of an standards-track > specification. > > Adam > > > On Thu, Sep 17, 2009 at 4:28 PM, Erik Kay wrote: >> >> For those of us who are curious, could someone explain what this does? >> >> Erik >> >> >> On Thu, Sep 17, 2009 at 4:20 PM, Finnur Thorarinsson >> wrote: >>> +1 to what Peter is saying. >>> Like Brett, I have no clue what this checkbox means and think it shouldn't >>> have been added. >>> However, the question I have... is it appropriate to tuck this in with >>> something like deleting the history (like we do with last session, recently >>> closed tabs, autogenerated keywords, etc)? >>> It is hard for me to evaluate that, not knowing what this does... :) >>> -F >>> >>> On Thu, Sep 17, 2009 at 16:09, Evan Martin wrote: On Thu, Sep 17, 2009 at 3:54 PM, Brett Wilson wrote: > On Thu, Sep 17, 2009 at 3:50 PM, Evan Martin wrote: >> >> On Thu, Sep 17, 2009 at 3:38 PM, Adam Langley wrote: >>> >>> On Thu, Sep 17, 2009 at 3:37 PM, Ben Goodger (Google) >>> wrote: Whoever added this UI, please remove it before I have to when I get back next week. >>> >>> Very well, reverting. >> >> Why not #ifdef around it? I fear if you revert you'll never check it >> in again. > > If that happens, it's the best possible argument that this is a silly > thing to add. No, it's just the argument that it's not the sort of thing people are willing to expend the energy to argue about. With this sort of response I'd be tempted to just give up on the patch. >>> >>> >>> > >>> >> >> >> >> > --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: "Clear Strict-Transport-Security state" checkbox added
> Apparently an announcement message is also en-route to the W3C WebApps > working group. It's in their archives now.. fyi: Strict Transport Security specification http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html Please send feedback on the spec to the public-weba...@w3.org list. thanks, =JeffH PayPal InfoSec Team --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
