** Branch linked: lp:webbrowser-app/rtm-14.09 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu. https://bugs.launchpad.net/bugs/1377194
Title: [browser] Various issues with security UI's Status in the base for Ubuntu mobile products: Fix Released Status in Ubuntu UX bugs: Fix Committed Status in Web Browser App: Fix Released Status in webbrowser-app package in Ubuntu: Fix Released Status in webbrowser-app package in Ubuntu RTM: Fix Released Bug description: I've not done a proper review on this yet, but there are a few issues I've noticed just from using the browser: - The certificate error UI is displayed for all errors, but it should only be displayed for main frame document errors (CertificateError.isMainFrame && !CertificateError.isSubresource). You can't override other errors anyway, and for subframes and subresources it is fine to just block the content (this is how Chrome and Firefox behave). - When accepting an error, the certificate fingerprint seems to be whitelisted by the browser. This is not safe - what happens if the user navigates to a genuinely malicious site that happens to use the same certificate? If you want to whitelist them, you must also record the domain that the error originated from and the error code, and only automatically allow the error if the domain + error code + fingerprints match - When accepting an error, there is no visual cue in the header bar that you're on a site with security errors. - If you press the stop icon in the addressbar whilst the certificate error UI is displayed, the pending navigation is cancelled (returning to the previous committed navigation), but the certificate error UI is not removed. There is a CertificateError.cancelled signal for this purpose - I'm not sure if you're using it or not - There doesn't seem to be any indicator when you go to a site that has an EV certificate --- UX Comment --- Additional wireframe for top bar displaying warning when certificate identity is not verified https://docs.google.com/a/canonical.com/presentation/d/1Qrd4Flfs3EH-fI79IfrYgLdAx2nce-L7ve8NKLCX324/edit#slide=id.g3503834cf_01 For EV certificate, just display EV information in the pop-over To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1377194/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
