Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Better Handling of Redirects and Reloads

1 view
Skip to first unread message

Rhino

unread,
Feb 25, 2013, 10:42:19 AM2/25/13
to
Based on the name of this newsgroup, I'm assuming this is the best place
to go to make suggestions about future improvements to Firefox.

With that in mind, I'd like to direct your attention to a thread I
started yesterday (2013-02-24) on mozilla.support.firefox entitled
"Firefox prevented this page from reloading". It's not a terribly long
thread but someone going by the handle "VanguardLH" has made some very
useful suggestions about how Firefox could handle page reloads and
redirects better in response to my original question. Here's the gist of
the discussion in case you don't want to dig up the original thread:

=======================================================================
>> While it is a handy security feature to let you know when a page tries
>> to redirect you to another page, I wish they had a sub-option "Only when
>> redirect goes to a different domain". Sites often use redirects (meta-
>> refresh or Javascripted refresh) when they change their layout. They
>> know some of their pages may still link to the old one, users have
>> cached copies of web pages, or users have direct links to web pages.
>> I'm not concerned about a site redirecting me within that site. It's
>> when they try to redirect me elsewhere (off-domain) that I want to know.
>>
>> The infobar that Firefox displays when it has blocked the redirect is
>> nearly worthless. Yeah, it blocked the redirect but to WHERE? I should
>> not have to view the page code to figure out where they tried to send
>> me. Obviously Firefox already knows they tried that and to where
>> (because it saw it was different than the current site). It's like you
>> out doing some grocery shopping and you get a texted alert that says
>> "It's on fire." WHAT is on fire? Your home? Your car? Your hair?
>> Before I click to allow the redirect, I want to know where it goes.
>>
>> They have a browser width infobar that pops up and yet they can't manage
>> to tell you to where they blocked a redirect. Argh!
>>
>
> I agree with you completely about everything you said. There should be
> an option to allow redirects if they stay on the same page.

Well, to a different web page but at the same [sub]domain.

> Also, the
> message should contain a lot more information so that users can make a
> better decision about what to do when it appears.

Looks like Mozilla has emulated Microsoft in providing non-informative
alerts.

> Neither of those ideas, especially the second one, should be hard to do.
> As you pointed out, they already know that the redirect is going to
> another site so showing its URL is pretty straight-forward. I say that
> as someone who has written programs professionally.

The 2 ways that I know of redirection is to use meta-refresh and
Javascript. I've noticed some sites try to get sneaky and use a
meta-refresh inside a <NOSCRIPT> tag where it is illegal but some web
browsers, like Firefox, allow and comply. Mozilla didn't want to
address the mixed content (HTTP content delivered to an HTTPS page)
because blocking it would break a lot of badly designed web sites; i.e.,
Mozilla didn't want to be the leader in forcing web sites to stop mixing
secure and insecure content in a web page. Mozilla also won't enforce
erroring on meta-refresh inside a <NOSCRIPT> tag for the same reason
that it would break a lot of badly designed or sneaky web sites using
that trick. I see the NoScript add-on has an option to block that
trick; however, either I've not hit one of those sneaky sites using
meta-refresh inside <NOSCRIPT> or NoScript blocks with an alert.

For the meta-refresh method, it's pretty obvious how to detect that in
the page code: look for a <META> tag with an http-equiv parameter set to
"refresh". The Javascript timer method to reload the page (but specify
a different target), especially if it is obfuscated, could be tougher to
detect but one method would be that a page at one domain suddenly wants
to move to another page at a DIFFERENT domain but with no interaction
from the user, like clicking on a link. Instead of looking for just
meta-refresh, look for a page transition to another domain that involved
no human interaction on the first page. This would require monitoring
of behavior rather than parsing page code.


=======================================================================

I strongly recommend a change to Firefox that would do what VanguardLH
is suggesting. I would find it very helpful and I think many others
would too.

And while I'm here, I'd like to point out that the existing process for
soliciting suggestions, the "I have an idea" page, is woefully
inadequate for the purpose. A limit of 250 characters is just too
restrictive to make any sort of meaningful suggestion about something
that could be added or changed. It's not even big enough to make the
suggestion, let alone to explain WHY it is a good idea. My contribution
to your wishlist is to improve that process so that people can make -
and justify - proposals for changes to Firefox without having to be as
terse as a text.

While _some_ limit on the length of a suggestion might be necessary to
encourage conciseness, 250 characters is WAY too low a limit.
--
Rhino
0 new messages