Location Bar Proposal

15 views
Skip to first unread message

Gervase Markham

unread,
May 21, 2007, 8:01:52 AM5/21/07
to d...@design-noir.de, Ka-Ping Yee
[Note: also posted to my blog[0].]

For the past few weeks, we've been playing with various ideas relating
to the Location Bar here in mozilla.dev.apps.firefox[1]. Dao Gottwald
has been doing a great job keeping up with the suggestions, and
implementing them in the excellent LocationBar2 extension[2].

Having done the prototyping, and a UI review with Jonathan Nightingale
and Mike Beltzer, we now propose that we do the following two
independent things, as a start:

1) Remove the favicon from the URL bar. We want to make the URL bar
totally trusted, and that means not allowing sites to control parts of
it to spoof locks or things like that. We can either remove it entirely
or replace it with a generic page icon/folder icon/whatever under our
control.

I note that mockups posted recently for the Places UI use this icon for
a menu, and so we may need to negotiate as to what happens.

2) Change the URL bar so that everything except "Public Suffix + 2" is
greyed out. If the URL bar is focussed or hovered over, the colour
switches back to black throughout. This should be possible using CSS
only. The "greyed-out" colour is a pref; people who don't like this
feature can set it to "black".

Public Suffix (also called Effective TLD[3]) is the part of the URL not
owned by a registrant. E.g. ".com", ".co.uk", "hokkaido.co.jp". 2 is the
default for a pref; we think this is the right number, but want real
world experience. So Public Suffix + 2 is e.g. http://WWW.MOZILLA.ORG,
http://www.IBANK.BARCLAYS.CO.UK/foo/bar/login.do,
http://www.FRED.BLOGSPOT.COM/archive/2007/04/06/mypost.

This will look basically as mocked up by Ka-Ping Yee here:
http://zesty.ca/mozilla/locbar.html

We may also do other things from the LocationBar2 UI experiments.
However, these two things are where we want to start, and then we can
look at further changes.

I'd like to finish by pointing out that it seems to me that the process
we've just gone through is a textbook example of how open source
development and UI prototyping _should_ work in our world. We had loads
of cool ideas, implemented them in an extension, kicked them around a
lot in discussion, realised some were too radical, and have now come out
with a considered proposal. This rocks. Thank you to everyone who took part.

Gerv

[0]
http://weblogs.mozillazine.org/gerv/archives/2007/05/location_bar_proposal_1.html
[1]
http://groups.google.com/group/mozilla.dev.apps.firefox/search?group=mozilla.dev.apps.firefox&q=location+bar&qt_g=Search+this+group
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=366797
[3] http://wiki.mozilla.org/Gecko:Effective_TLD_Service

Edward Lee

unread,
May 21, 2007, 12:27:23 PM5/21/07
to
Gervase Markham wrote:
> we now propose that we do the following two things *as a start*

> 1) Remove the favicon from the URL bar
> 2) everything except "Public Suffix + 2" is greyed out

Sounds good for a start for those who already look at the location bar
and understand domains.

Are there plans on how to get average users to look at the location bar
in the first place and show them something they can easily process?

I did a little user study of random people in the University's Student
Union to visit websites while using 1 of 3 versions of Firefox: standard
browser, LocationBar 2, in-your-face domain display.

The participants were provided a scenario of a scavenger hunt to visit
various linked websites to find a piece of information; about half of
the sites used a spoofed domain. None of the people in the study noticed
the small changes (facebook.com -> facelook.com), the odd changes
(www.google.com -> 1.2.3.4.5.6.7.8.9), or the big changes
(en.wikipedia.org -> en.wikiwikiland.net).

Even though some of them frequently visit those website (some daily, so
they should recognize the domain), they did not comment on anything
strange. Even when a third of participants usually manually enter
websites in the location bar when opening a browser (meaning they know
of domains), they did not notice the domain name changes. Half of them
avoid domains when opening the browser to go to websites by using
favorites/bookmarks or Google.

However, users do have some level of trust for various websites. For
each each answer, participants ranked a level of trust from 1 (low) to 5
(high). Interestingly, MySpace was consistently lower than others like
Google and YouTube.

Ed

Sohail Mirza

unread,
May 21, 2007, 6:55:11 PM5/21/07
to
On May 21, 8:01 am, Gervase Markham <g...@mozilla.org> wrote:
> 1) Remove the favicon from the URL bar. We want to make the URL bar
> totally trusted, and that means not allowing sites to control parts of
> it to spoof locks or things like that. We can either remove it entirely
> or replace it with a generic page icon/folder icon/whatever under our
> control.

By losing the favicon from the URL bar, we also lose the ability to
drag/drop the favicon to bookmark, etc. I'm not certain how many
Firefox users actually bookmark in this fashion, but I imagine a good
number of people could be bookmarking sites in this manner.

I'm aware that one can just as easily drag and drop the tab, but is
the average user aware of this? Downsides to this are that the
default behaviour of Firefox is to hide the tab bar when only one tab
is present, and that the favicons on the tab bar don't look drag/
droppable (much like the Fx icon in the window titlebar).

Has the ability to drag/drop the favicon been given due consideration
or affected the decision in any way?

Jesse Ruderman

unread,
May 22, 2007, 2:40:58 AM5/22/07
to
How about combining the favicon and throbber in the toolbar? That
would fix the "throbber is always visible" problem that annoys Mac
purists (without creating odd-looking blank space), and it would be
consistent with what we do on tabs.

Gervase Markham

unread,
May 22, 2007, 6:35:07 AM5/22/07
to

I think we want to keep site-controlled content corralled as much as
possible into the content area and tabs.

Also, I think the above is a solution in search of a problem. If we
remove the favicon from the URL bar, is it now invisible? No, it's on
the tabs. Why does it need greater visibility?

Gerv

Gervase Markham

unread,
May 22, 2007, 6:35:50 AM5/22/07
to
Sohail Mirza wrote:
> By losing the favicon from the URL bar, we also lose the ability to
> drag/drop the favicon to bookmark, etc. I'm not certain how many
> Firefox users actually bookmark in this fashion, but I imagine a good
> number of people could be bookmarking sites in this manner.

It's an open question as to whether it vanishes, or whether you get a
generic page icon in its place. This is an argument for the latter,
certainly.

Gerv

Robert Kaiser

unread,
May 22, 2007, 11:44:53 AM5/22/07
to
Gervase Markham schrieb:

> I think we want to keep site-controlled content corralled as much as
> possible into the content area and tabs.

Does this include text in the window's title bar, status bar (I guess
this is off by default anyways), etc.?

And then there's this recent proposal of site-controlled sidebars and
toolbars, which goes directly against this statement...

> Also, I think the above is a solution in search of a problem. If we
> remove the favicon from the URL bar, is it now invisible? No, it's on
> the tabs. Why does it need greater visibility?

Because there are people who might hide those [cursing language
stripped] tabs and not use them ;-)

But then, they can use a browser that still has this feature, like, say,
IE^H^HSeaMonkey, just to name one.

Robert Kaiser

Gervase Markham

unread,
May 23, 2007, 4:44:08 AM5/23/07
to
Robert Kaiser wrote:
> Gervase Markham schrieb:
>> I think we want to keep site-controlled content corralled as much as
>> possible into the content area and tabs.
>
> Does this include text in the window's title bar, status bar (I guess
> this is off by default anyways), etc.?

We switched off the ability for the site to change the status bar text
for this reason as well.

> And then there's this recent proposal of site-controlled sidebars and
> toolbars, which goes directly against this statement...

Not necessarily. These would appear in the content area. It would be
important to style these so they appeared like content rather than chrome.

> But then, they can use a browser that still has this feature, like, say,
> IE^H^HSeaMonkey, just to name one.

Quite.

Gerv

rainierw...@gmail.com

unread,
Jun 2, 2007, 7:41:24 PM6/2/07
to
The "Public Suffix + 2" idea looks good (but there's too much
difference between the black and grey used in the mockup; I don't
think the grey should be so faint).

Removing the favicon would mean that you should simply remove any icon
in the location bar altogether. What's the point of wasting space to
show a white page 100% of the time? However, I hope that you do not
remove it because the padlock icon doesn't appear to the left of the
URL and always appears to the right. Besides which, the location bar
also changes colour, which is what I pay more attention to, so if
there are some dummies that are being fooled by a padlock favicon,
then should Firefox users with brains have their browser stripped bare
in an attempt to protect idiots from themselves? I surely hope not...

dusa...@gmail.com

unread,
Jun 2, 2007, 10:16:00 PM6/2/07
to

>
> 1) Remove the favicon from the URL bar. We want to make the URL bar
> totally trusted, and that means not allowing sites to control parts of
> it to spoof locks or things like that. We can either remove it entirely
> or replace it with a generic page icon/folder icon/whatever under our
> control.

Why lose a feature? This will not add anything to the actual security.
Just a "feel good" measure and cramping the creativity. Absolutely
wrong. Majority of sites use favicon for creative content, not for
spoofing locks.

We can either remove it entirely
> or replace it with a generic page icon/folder icon/whatever under our
> control.

...
Why should it be generic and/or under your control? Give us more
freedom in the URL bar. Allow site to use different font, style,...
That is progressive. Control it against the "lies", not against the
design.

>

> 2) Change the URL bar so that everything except "Public Suffix + 2" is
> greyed out. If the URL bar is focussed or hovered over, the colour
> switches back to black throughout. This should be possible using CSS
> only. The "greyed-out" colour is a pref; people who don't like this
> feature can set it to "black".
>

More "overcontroling"... URL is there to give complete description of
the page
location. User have a great interest to know what it is. Do not
interrupt
between the user and the content! Do make security features that
prevent spoofing
but do not obstruct the user in any way or highlight parts of your
choice.


>
> This will look basically as mocked up by Ka-Ping Yee here:http://zesty.ca/mozilla/locbar.html
>
>

Please provide the real security and do not cramp the creativity of
designers. Stay away
from filtering the content in any way. That would summarize my
opinion.

Hope this helps,

Dusan Maletic

marty...@gmail.com

unread,
Jun 3, 2007, 12:36:19 AM6/3/07
to

Removing the favicon from the location bar seems wrong, but I can't
put my finger on why. Perhaps because I can't think of another
logical place for it. It also serves as a bookmark drag target, so it
shouldn't move far from where it has been since it was created. On
second thought, if the URI is going to have visual clues about itself,
moving the favicon is probably unnecessary.

In my opinion, the main reason why phishing works is because the
average user doesn't know how a URI is constructed. Give them some
hints. Highlighting the domain + TLD is a good start, however I
suggest this feature launch in its complete form: differentiate all 6
(7) segments of the URI by color:

- protocol
- hostname (ie, www)
- domain + TLD
- path
- filename
- GET string (names and values could be colored differently)
- anchor

In the mockup, the rest of the URI has been grayed out too much.
Perhaps make domain + TLD bold, and colorize the other segments?

Not that the average user ever looks at URI's in the bottom toolbar
when hovering over links, but I also suggest applying the same
highlighting scheme there as well.

dan...@glazman.org

unread,
Jun 3, 2007, 1:53:18 AM6/3/07
to
I think both proposals are dangerous as they are.

1. I see more cons to the loss of the favicon in the adressbar than
pros.

2. using a grey font color in the address bar is a HUGE accessibility
and readability issue... I burnt my right eye a long ago and lost a
bit of sensibility to reds and yellows. The screenshot shown in Alex
Faaborg's blog is already VERY hard to read for me. Do **NOT**
implement this feature w/o spending hours thinking on the
accessibility problems it implies. Thanks.

</Daniel>

Robert Sayre

unread,
Jun 3, 2007, 2:49:14 AM6/3/07
to dan...@glazman.org
dan...@glazman.org wrote:
> I think both proposals are dangerous as they are.
>
> 1. I see more cons to the loss of the favicon in the adressbar than
> pros.

This could be true. Perhaps you could list the pros and cons?

>
> 2. using a grey font color in the address bar is a HUGE accessibility
> and readability issue...

I agree that there are issues. I also found it pretty hard to look at.
Another issue is that the path component of URIs can sometimes be very
useful:

http://www.technorati.com/posts/tag/restful+web+services

and the grey coloring of the location bar makes that harder to read.

- Rob

Peter Lairo

unread,
Jun 3, 2007, 6:34:14 AM6/3/07
to
rainierw...@gmail.com said on 03.06.2007 01:41:

> I hope that you do not
> remove it because the padlock icon doesn't appear to the left of the
> URL and always appears to the right. Besides which, the location bar
> also changes colour, which is what I pay more attention to, so if
> there are some dummies that are being fooled by a padlock favicon,
> then should Firefox users with brains have their browser stripped bare
> in an attempt to protect idiots from themselves? I surely hope not...

+1
--
Regards,

Peter Lairo

The browser you can trust: www.GetFirefox.com
Reclaim Your Inbox: www.GetThunderbird.com

Peter Lairo

unread,
Jun 3, 2007, 6:36:21 AM6/3/07
to
dusa...@gmail.com said on 03.06.2007 04:16:

> Majority of sites use favicon for creative content, not for
> spoofing locks.

Make that: *vast* majority...

Anders Vindberg

unread,
Jun 3, 2007, 7:48:38 AM6/3/07
to

I second that!

A suggestion, how about extending the URI with some intellisence,
taking data from Google Sitemaps if a page has made such available.

Tony Mechelynck

unread,
Jun 3, 2007, 8:57:59 AM6/3/07
to
marty...@gmail.com wrote:
[...]

> Removing the favicon from the location bar seems wrong, but I can't
> put my finger on why. Perhaps because I can't think of another
> logical place for it. It also serves as a bookmark drag target, so it
> shouldn't move far from where it has been since it was created.

The favicon is already duplicated on the current tab; but I'd like it to
remain on the URL bar too: after all, the window title is duplicated on the
tab, does that mean we should remove one or the other?

> On
> second thought, if the URI is going to have visual clues about itself,
> moving the favicon is probably unnecessary.

I don't see why. The URI could have some parts bolded or grayed and still be
preceded by a site icon.

>
> In my opinion, the main reason why phishing works is because the
> average user doesn't know how a URI is constructed. Give them some
> hints. Highlighting the domain + TLD is a good start, however I
> suggest this feature launch in its complete form: differentiate all 6
> (7) segments of the URI by color:
>
> - protocol
> - hostname (ie, www)
> - domain + TLD
> - path
> - filename
> - GET string (names and values could be colored differently)
> - anchor
>
> In the mockup, the rest of the URI has been grayed out too much.
> Perhaps make domain + TLD bold, and colorize the other segments?
>
> Not that the average user ever looks at URI's in the bottom toolbar
> when hovering over links, but I also suggest applying the same
> highlighting scheme there as well.
>

I'd prefer the URL in the status bar to remain the "raw" HREF. It may be
something else that an HTTP or FTP URL, remember (mailto:, javascript: or even
about: come to mind; from a local page it could also be file: ).


Best regards,
Tony.
--
"You've got to think about tomorrow!"

"TOMORROW! I haven't even prepared for *_yesterday_* yet!"

Gervase Markham

unread,
Jun 4, 2007, 5:40:07 AM6/4/07
to
dusa...@gmail.com wrote:
> Why lose a feature? This will not add anything to the actual security.
> Just a "feel good" measure and cramping the creativity. Absolutely
> wrong. Majority of sites use favicon for creative content, not for
> spoofing locks.

And the majority of sites aren't malicious. That doesn't in itself mean
we should do nothing about those that are.

> Why should it be generic and/or under your control? Give us more
> freedom in the URL bar. Allow site to use different font, style,...
> That is progressive. Control it against the "lies", not against the
> design.

That's a terrible idea. It would make misleading users far easier if
sites could control the font used in the URL bar. We have enough trouble
finding one font that makes a good distinction between 1, i, l and I
without having to find a whole bunch.

> More "overcontroling"... URL is there to give complete description of
> the page
> location. User have a great interest to know what it is.

A user really cares that their JSESSIONID is 35FAGKE453F?

Gerv

Gervase Markham

unread,
Jun 4, 2007, 5:41:38 AM6/4/07
to
marty...@gmail.com wrote:
> In my opinion, the main reason why phishing works is because the
> average user doesn't know how a URI is constructed. Give them some
> hints. Highlighting the domain + TLD is a good start, however I
> suggest this feature launch in its complete form: differentiate all 6
> (7) segments of the URI by color:

And how would the user know which ones are the important ones?

Surely the solution to "users don't know how a URL is constructed" is
not "teach them" but "make it so they don't have to know".

If your user model and your program model don't fit together, change the
program model. It's much easier than changing the user model.

Gerv

Gervase Markham

unread,
Jun 4, 2007, 5:43:03 AM6/4/07
to
dan...@glazman.org wrote:
> 2. using a grey font color in the address bar is a HUGE accessibility
> and readability issue... I burnt my right eye a long ago and lost a
> bit of sensibility to reds and yellows. The screenshot shown in Alex
> Faaborg's blog is already VERY hard to read for me. Do **NOT**
> implement this feature w/o spending hours thinking on the
> accessibility problems it implies. Thanks.

It's not supposed to be as obvious. That's the _point_. If you want to
read the other parts of the URL, press Ctrl-L. The highlight difference
goes away whenever the URL bar is focussed or hovered.

Gerv

gfr...@adaptavist.com

unread,
Jun 4, 2007, 6:01:43 AM6/4/07
to
Locationbar2 would be a much better way to visualise the URL IMHO:

http://en.design-noir.de/mozilla/locationbar2/

The key things I like about it are:

* Convert URL to a breadcrumb trail
* Options for customising the design of the URL - eg. whether to hide
protocol, etc

Michael Lefevre

unread,
Jun 4, 2007, 1:01:36 PM6/4/07
to
On 2007-06-04, Gervase Markham <ge...@mozilla.org> wrote:
> dan...@glazman.org wrote:
>> 2. using a grey font color in the address bar is a HUGE accessibility
>> and readability issue...
[snip]

> It's not supposed to be as obvious. That's the _point_. If you want to
> read the other parts of the URL, press Ctrl-L. The highlight difference
> goes away whenever the URL bar is focussed or hovered.

Maybe it's not supposed to be obvious, but is it supposed to be readable?
If it supposed to show just the domain and give an indication that there
is some other stuff there, then is there a way of doing that without
making people try to read something that's hard to read?

If people's brains have to make a quick choice between straining their
eyes for a couple of seconds and moving their hands about, they will
probably go with the eye straining every time and give themselves a
headache.

On the other hand, I guess it won't be too hard to remove the greying-out
effect with an addon (or maybe even a couple of lines in the chrome CSS
file), for those people that understand URLs and want to read them all the
time.

--
Michael

ben.ja...@gmail.com

unread,
Jun 4, 2007, 5:10:28 PM6/4/07
to

I personally agree with many others when I say that the graying out is
a bit much. It's a good idea, but the way it's been implemented is
entirely wrong. Why are you fading out the rest of the url? Couldn't
you highlight the important part instead? Instead of making it stand
out by fading the rest of the address, why not just highlight it.

Also I'm a huge fan of favicons, and since on mac the bookmark bar
doesn't show them, I'd really rather not lose them in the url.
I think phishing will continue to be a problem, but this appears to
be a knee jerk reaction.

mark2...@gmail.com

unread,
Jun 5, 2007, 1:35:52 AM6/5/07
to
As a site designer I'm very against the removal of favicons. This can
be such a big deal that you would remove part of what makes each site
unique. That's disruption of the user experience. A Microsoft style
baby with the bath water precaution.


Peter Kasting

unread,
Jun 5, 2007, 1:59:48 AM6/5/07
to mark2...@gmail.com, dev-apps...@lists.mozilla.org

The proposal is to remove the favicon from the location bar, not from
tabs/bookmarks/etc.

"Don't Panic" - Douglas Adams

PK

Thomas Stache

unread,
Jun 5, 2007, 3:24:15 AM6/5/07
to
mark2...@gmail.com schrieb:

People, the proposal removes favicons from the location bar, but not
from the browser tabs. There you will see them in full glory.

Gervase Markham

unread,
Jun 5, 2007, 5:29:02 AM6/5/07
to
Michael Lefevre wrote:
> Maybe it's not supposed to be obvious, but is it supposed to be readable?
> If it supposed to show just the domain and give an indication that there
> is some other stuff there, then is there a way of doing that without
> making people try to read something that's hard to read?

Well, if something needs to be emphasised, that means that other things
have to be deemphasised. We tried things like bold, but characters (e.g.
i and l) are less different in bold fonts.

> On the other hand, I guess it won't be too hard to remove the greying-out
> effect with an addon (or maybe even a couple of lines in the chrome CSS
> file), for those people that understand URLs and want to read them all the
> time.

Indeed. There will probably be a pref.

Gerv

Gervase Markham

unread,
Jun 5, 2007, 5:30:25 AM6/5/07
to
ben.ja...@gmail.com wrote:
> I personally agree with many others when I say that the graying out is
> a bit much. It's a good idea, but the way it's been implemented is
> entirely wrong. Why are you fading out the rest of the url? Couldn't
> you highlight the important part instead? Instead of making it stand
> out by fading the rest of the address, why not just highlight it.

In what way? We have, thusfar, not been able to come up with a method of
highlighting which is both readable and accessible. (I suggest you read
about what we've tried before proposing one.)

> Also I'm a huge fan of favicons, and since on mac the bookmark bar
> doesn't show them, I'd really rather not lose them in the url.

They will still appear on the tabs.

> I think phishing will continue to be a problem, but this appears to
> be a knee jerk reaction.

What makes you say that? Have you analysed our reasons for making this
change?

Gerv

Gervase Markham

unread,
Jun 5, 2007, 5:31:40 AM6/5/07
to
gfr...@adaptavist.com wrote:
> * Convert URL to a breadcrumb trail

We've tried this - it just doesn't work from a usability perspective,
and it doesn't work from a website structure perspective. It's basically
the equivalent of adding a load of buttons to the interface which half
the time, when pressed, take you to a 404 Not Found page.

> * Options for customising the design of the URL - eg. whether to hide
> protocol, etc

Are you really suggesting that this be something Firefox has UI for by
default?

Gerv

Gervase Markham

unread,
Jun 5, 2007, 5:32:32 AM6/5/07
to

Have you actually bothered to familiarise yourself with what we are
actually proposing? We are not proposing the "removal of favicons".

(Anyway, even if we were, people coped fine without them up until a
couple of years ago.)

Gerv

Robert Kaiser

unread,
Jun 5, 2007, 8:03:36 AM6/5/07
to
Gervase Markham schrieb:

> Surely the solution to "users don't know how a URL is constructed" is
> not "teach them" but "make it so they don't have to know".

To me, this sounds of resolving drivers not understanding street signs
and traffic rules by abolishing cars instead of requiring people to get
a drivers license.

I think the real solution is "ease users to learn themselves what is
important" and not "remove everything from the UI that somehow could get
complicated". That's what I always have disliked about MS's misguided
"usability improvements" in Windows with hiding everything that was
actually useful and replacing it with useless eye candy.
We shouldn't go down that path generally. But then, Firefox sometimes
tries to just imitate MS's UI style too much for me anyways, so maybe my
view of this is just one of the reasons why I'm not a Firefox user
myself. ;-)

Robert kaiser

cruo...@gmail.com

unread,
Jun 5, 2007, 11:18:40 AM6/5/07
to
> This will look basically as mocked up by Ka-Ping Yee here:http://zesty.ca/mozilla/locbar.html
>
> We may also do other things from the LocationBar2 UI experiments.
> However, these two things are where we want to start, and then we can
> look at further changes.
>
> I'd like to finish by pointing out that it seems to me that the process
> we've just gone through is a textbook example of how open source
> development and UI prototyping _should_ work in our world. We had loads
> of cool ideas, implemented them in an extension, kicked them around a
> lot in discussion, realised some were too radical, and have now come out
> with a considered proposal. This rocks. Thank you to everyone who took part.
>
> Gerv
>
> [0]http://weblogs.mozillazine.org/gerv/archives/2007/05/location_bar_pro...
> [1]http://groups.google.com/group/mozilla.dev.apps.firefox/search?group=...
> [2]https://bugzilla.mozilla.org/show_bug.cgi?id=366797
> [3]http://wiki.mozilla.org/Gecko:Effective_TLD_Service

That's bulll****.

1.) the favicon helps in recognizing where I'm in fact. A nice little
image is often easier to remember than a quirky domain name. I propose
to make the favicon optional. Make the default setting whatever you
want, but don't remove it entirely, for goodness sake!

2.) As of me, I differentiate two kinds of browsing: cross-domain, and
intra-domain browsing. It's very common to browse dozens of pages on a
single domain. In most cases, it's the end of the domain which
actually tells you where you are: look at blogs, semantic urls, etc.

Firefox has a bunch of nice features. If there aren't much to do,
there aren't. Focus on security, memory management (which imo got
certainly better with 2.x), and ease of use. Do not reinvent the
wheel. Don't behave like Microsoft: respect what's commonly accepted
(here I mean the usage of favicons, for example).

Kevin

unread,
Jun 5, 2007, 12:48:46 PM6/5/07
to
On May 21, 5:01 am, Gervase Markham <g...@mozilla.org> wrote:
> 1) Remove the favicon from the URL bar.
> 2) Change the URL bar so that everything except "Public Suffix + 2" is
> greyed out.

I'm opposed to this idea for a few reasons:

* as mentioned, some people use the favicon in the URL bar for
bookmarking things (I've done that often) and for determining which
site the user is on. Designers use it for branding.

The argument that this icon will still show up on the tabs is moot
when only one page is being viewed -- there are no tabs then.

* it addresses an edge case (spoofed lock icons)

* alternative methods could be used to point out the domain (if domain
spoofing is the main concern here). If highlighting and bold don't
pass user experience tests, maybe flashing a background color (behind
a span for the public suffix +2) when the domain changes. It seems
that we're really only concerned with the times when a domain is
changing, not persistently.

* there is no easy way to tell the user that if they click on the URL
they'll be able to see the whole string, and the grayed-out text is
really difficult to read without focusing the URL bar.

* those users who ignore the URL now may notice the dimming the first
few times, but since it isn't in their main field of view, they will
probably ignore it after a few site visits, and they won't benefit
from having the color contrast there. (if they're not looking at the
domain now, how will dimming the text ensure that they'll look in the
future, if none of the text elements are becoming more visible?)

Removing or replacing the favicon doesn't directly solve the issue of
spoofing, nor does it offer any real benefits. It seems to have more
disadvantages than benefits, even if users do start noticing that
they're being spoofed (and informed users know where the proper place
for a SSL icon is, and the change in URL background color).

Furthermore, it seems that the malware detection feature could act as
a suitable method for informing the user that they are on a
questionable site. It would be more apparent to the end user and
doesn't remove any functionality in doing so.

Alternatively, there is my earlier suggestion that a brief
highlighting or spotlight effect on the TLD + domain would bring
enough attention when the site has changed (especially if the user
doesn't expect a change in the site name), which also doesn't require
eliminating the existing favicon functionality.

Alex Faaborg

unread,
Jun 5, 2007, 7:51:41 PM6/5/07
to dev-apps-firefox
Ok, here is my take on the two issues

Favicon:
To quote a statement beltzner made earlier today: "if the problem is
a 16x16 pixel favicon can look like our 16x16 pixel security
indicator, why don't we change the security indicator?" I completely
agree, and I think Johnathan is working on some new security UI mockups.

Grey URL bar text:
I am in favor of the changing the formating of the URL bar, since I
believe the domain name is simply more important than the rest of the
information, and for the vast majority of users, the domain name is
the only understandable piece of the URL.

However, I don't think this will have any effect of protecting users
from phishing attacks. Consider this study done at MIT:

> (60%) used rationalizations to justify the
> indicators of the attacks that they experienced. Nine
> subjects explained away odd URLs with comments like:
>
> www.ssl-yahoo.com is a subdirectory of Yahoo!, like
> mail.yahoo.com.
>
> sign.travelocity.com.zaga-zaga.us must be an
> outsourcing site for travelocity.com.
>
> Sometimes the company [Target] has to register a
> different name [www.mytargets.com] from its brand.
>
> What if target.com has already been taken by another
> company?
>
> Sometimes I go to a website and the site directs me to
> another address which is different from the one that I
> have typed.
>
> I have been to other sites that used IP addresses [instead
> of domain names].

http://groups.csail.mit.edu/uid/projects/phishing/chi-security-
toolbar.pdf

So, even if we go nuts and color code every part of the URL, AND
magically everyone understands the color coding, people are still
going to rationalize.

But I still think we should grey out the rest of the URL, not because
it will help with phising, but because the visual design matches the
relative importance of each piece of information.

-Alex

> _______________________________________________
> dev-apps-firefox mailing list
> dev-apps...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-firefox

Gervase Markham

unread,
Jun 6, 2007, 5:30:00 AM6/6/07
to
Robert Kaiser wrote:
> To me, this sounds of resolving drivers not understanding street signs
> and traffic rules by abolishing cars instead of requiring people to get
> a drivers license.

I don't think that analogy holds. A better analogy would be resolving
drivers not understanding traffic rules by engineering the cars to know
how not to crash into each other, so they don't have to learn.

Is understanding a URL vital to being able to browse the web today? No,
but you can be at risk in some circumstances. So either we can teach
people to understand URLs (a very difficult task) or we can work to
eliminate the risk.

http://weblogs.mozillazine.org/gerv/archives/2007/06/choice_considered_harmful.html

Gerv

Gervase Markham

unread,
Jun 6, 2007, 5:30:42 AM6/6/07
to
cruo...@gmail.com wrote:
> 1.) the favicon helps in recognizing where I'm in fact. A nice little
> image is often easier to remember than a quirky domain name. I propose
> to make the favicon optional. Make the default setting whatever you
> want, but don't remove it entirely, for goodness sake!

Are you actually reading? We aren't removing it entirely.

Gerv

Gervase Markham

unread,
Jun 6, 2007, 5:36:32 AM6/6/07