Changes to the Origin Info Bubble
32 views
Skip to first unread message
Chris Palmer
Feb 13, 2015, 2:41:38 PM2/13/15
to security-dev, ro...@chromium.org, markus...@chromium.org, security-enamel
Markus has questions about the OIB simplification, and some suggestions:
https://codereview.chromium.org/810893003/
Public form of the design document:
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/enamel/goals-for-the-origin-info-bubble
Is the Site Settings link not enough? Would people like to have a Show
All Permissions button that expands the listing to show even
default-set permissions?
Keep in mind that this is my last day before leave, and that the new
status quo got UI team buy-in. If we want to add e.g. a Show All
Permissions button, it'll either have to wait until I'm back
(beginning of Q2) or someone else will have to write the CL.
https://codereview.chromium.org/810893003/
Public form of the design document:
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/enamel/goals-for-the-origin-info-bubble
Is the Site Settings link not enough? Would people like to have a Show
All Permissions button that expands the listing to show even
default-set permissions?
Keep in mind that this is my last day before leave, and that the new
status quo got UI team buy-in. If we want to add e.g. a Show All
Permissions button, it'll either have to wait until I'm back
(beginning of Q2) or someone else will have to write the CL.
Markus Heintz
Feb 13, 2015, 3:08:32 PM2/13/15
to Chris Palmer, security-dev, ro...@chromium.org, security-enamel
Sorry for bringing up a few things again I have no idea what was discussed.
I introduces Alex and Rebecca (UI/UX) to all of this in the past. So I'm happy to discuss potential changes and ideas with them.
I left some questions on the design doc.
It's either "Show all" or "Site Settings" link. Since you have added the "site settings" link. I suggest we also change the settings page to allow the users to see an overview of all their permissions for a given page. Otherwise your changes takes away this option (I know some settings are missing at the moment but this is a bug).
--
Markus
Elisabeth Morant
Feb 13, 2015, 3:49:26 PM2/13/15
to Markus Heintz, Chris Palmer, security-dev, ro...@chromium.org, security-enamel
On Fri, Feb 13, 2015 at 12:08 PM, 'Markus Heintz' via Security-dev <securi...@chromium.org> wrote:
Sorry for bringing up a few things again I have no idea what was discussed.I introduces Alex and Rebecca (UI/UX) to all of this in the past. So I'm happy to discuss potential changes and ideas with them.I left some questions on the design doc.It's either "Show all" or "Site Settings" link. Since you have added the "site settings" link. I suggest we also change the settings page to allow the users to see an overview of all their permissions for a given page. Otherwise your changes takes away this option (I know some settings are missing at the moment but this is a bug).
We're currently working on a revamp of site settings on desktop, so that what we have on desktop more closely aligns with the new content settings on Clank. Rebecca is working on mocks for this and we're hoping to launch these changes as a part of the CrOS settings material redesign. Once the new settings page launches the "site settings" link will jump to a more easily digestible overview of what permissions have been granted, denied, or set to default for a given site.
On Fri, Feb 13, 2015 at 8:41 PM, Chris Palmer <pal...@google.com> wrote:Markus has questions about the OIB simplification, and some suggestions:
https://codereview.chromium.org/810893003/
Public form of the design document:
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/enamel/goals-for-the-origin-info-bubble
Is the Site Settings link not enough? Would people like to have a Show
All Permissions button that expands the listing to show even
default-set permissions?
Keep in mind that this is my last day before leave, and that the new
status quo got UI team buy-in. If we want to add e.g. a Show All
Permissions button, it'll either have to wait until I'm back
(beginning of Q2) or someone else will have to write the CL.
--Markus
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
Craig Francis
Feb 16, 2015, 5:33:37 AM2/16/15
to Chris Palmer, security-dev, ro...@chromium.org, markus...@chromium.org, security-enamel
On 13 Feb 2015, at 19:41, 'Chris Palmer' via Security-dev <securi...@chromium.org> wrote:
> Markus has questions about the OIB simplification, and some suggestions:
>
> https://codereview.chromium.org/810893003/
>
> Public form of the design document:
>
> https://sites.google.com/a/chromium.org/dev/Home/chromium-security/enamel/goals-for-the-origin-info-bubble
>
> Is the Site Settings link not enough? Would people like to have a Show
> All Permissions button that expands the listing to show even
> default-set permissions?
It may not be best placed in the Origin Info Bubble... but it's been a problem for quite a while :-)
Craig
Ryan Sleevi
Feb 16, 2015, 5:41:44 AM2/16/15
to Craig Francis, Markus Heintz, Rebecca Rolfe, security-dev, Chris Palmer, security-enamel
On Feb 16, 2015 2:33 AM, "Craig Francis" <craig....@gmail.com> wrote:
>
> I know this is a very old problem, but if using HTTP Authentication (aka basic access authentication)... can we allow the user to logout?
No.
>
> It may not be best placed in the Origin Info Bubble... but it's been a problem for quite a while :-)
>
> Craig
It is a problem not just of UI, but of fundamental protocol.
Consider a page that loads sub resources. You are prompted to auth for them. You now may have any number of identities associated. How do you show them. How do you revoke them? What about when you use a proxy? What new complications there?
I used to believe this was a solvable problem. Now I don't. If anything, sites should avoid browser UI as firmly as possible. Beyond Basic Auth being itself broken ;)
Craig Francis
Feb 16, 2015, 6:24:52 AM2/16/15
to rsl...@chromium.org, Markus Heintz, Rebecca Rolfe, security-dev, Chris Palmer, security-enamel
On 16 Feb 2015, at 10:41, Ryan Sleevi <rsl...@chromium.org> wrote:
> Consider a page that loads sub resources. You are prompted to auth for them. You now may have any number of identities associated. How do you show them. How do you revoke them? What about when you use a proxy? What new complications there?
>
> I used to believe this was a solvable problem. Now I don't. If anything, sites should avoid browser UI as firmly as possible. Beyond Basic Auth being itself broken ;)
Fair enough.
> Consider a page that loads sub resources. You are prompted to auth for them. You now may have any number of identities associated. How do you show them. How do you revoke them? What about when you use a proxy? What new complications there?
>
> I used to believe this was a solvable problem. Now I don't. If anything, sites should avoid browser UI as firmly as possible. Beyond Basic Auth being itself broken ;)
Personally I quite like the simplicity of it (considering how badly most authentication systems are created on most websites, says he having just audited 2 more websites with gaping holes everywhere)... although I admit, there are many other issues that HTTP Auth would need to address.
But having consistent UI between websites, provided by the browser (so hopefully not easily spoofed), I thought was a good thing... I like using standard browser UI :-)
But then again... I hope that one day we finally get to kill passwords (one way or another).
Craig
Reply all
Reply to author
Forward
0 new messages