RequestPolicyContinued / requestpolicy

a web browser extension that gives you control over cross-site requests. Available for XUL/XPCOM-based browsers.
https://github.com/RequestPolicyContinued/requestpolicy/wiki
Other
252 stars 35 forks source link

Preference Dialog & Context Menu do not readily support all site request policies #100

Open msxfm opened 10 years ago

msxfm commented 10 years ago

Issue by jsamuel Thursday Dec 22, 2011 at 18:52 GMT Originally opened as https://github.com/RequestPolicy/requestpolicy/issues/100


imported trac ticket
created: 2010-05-02 13:51:39
reporter: eibwen

There are at least three parameters for a site policy rule: (a) Applicability: origin, destination, or origin-to-destination; (b) Specificity: 2nd level domain, full domain, full domain + protocol + port; and (c) Policy: DENY, Temporary ALLOW, ALLOW (and with [#6], BLACKLIST)

The current UI is structured to support distinctly separate applicability at predefined specificity, with policy state changes only (eg Temporarily ALLOW <-> ALLOW is not directly supported).

Further, the current UI is inconsistently structured. The Preferences dialog segregates each applicability to separate tabs, despite the fact that the same site may appear in all lists. Perhaps the export/import format is more conducive to editing; however, it should not be required for typical changes. The Context Menu separates "primary" origin from destination and origin-to-destination, and "secondary" origin(s) are segregated to a submenu; however, the destination and origin-to-destination applicability is not separated. The Specificity setting can only be changed from the Preferences dialog, and is not separately configurable for origins-to-destinations. Moreover, cross site requests more specific than the current setting are not shown, whereas the user may still want to implement policy, but be unaware of the request, and thus the need to change the setting.

As a result, users likely attempt to specify policy solely through the Context Menu with limited specificity setting changes. However, this does not seem to match the average use case, where users trust different origins and destinations (even as part of an origin-to-destination) separately. It also inhibits same policy state changes, such as users setting Temporarily ALLOW, confirming the result, and then upgrading to ALLOW.

The full matrix of possible combinations is significant, particularly as the origin-to-destination applicability should allow separate specificity. This will only get significantly more complex when BLACKLIST support is added.

This bug is intended to open a dialog about the UI usability and consistency issues to propose changes and make improvements.

msxfm commented 10 years ago

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT


imported trac comment
created: 2010-05-02 16:23:26
author: eibwen

Proposal

Use select boxes for specificity and policy, with a special specificity option ANYWHERE to provide for all applicability options. Treat the specificity setting as a DEFAULT specificity selection, and pre-select options accordingly.

For example, options for a single page may look like (rows indicate different rules):

FROM TO POLICY IS
www.example.com static.example.com ALLOW
example.com http://this.othersite.example:80 Temporarily ALLOW
static.example.com ANYWHERE DENY

With options for a rule (rows indicate different options from SAME select box):

FROM TO POLICY IS
ANYWHERE ANYWHERE DENY
example.com site.example Temporarily ALLOW
www.example.com static.site.example ALLOW
http://www.example.com:80 http://static.site.example:80 (BLACKLIST)

See attachment for a screenshot of a mockup in Gtk+.

BENEFITS

  1. This organizes all policy rules regardless of applicability or policy.
  2. It provides for varying levels of specificity, without having to repeatedly toggle settings.
  3. It would eliminate all the submenus from the Context Menu.
  4. It could preserving the color scheme (GREEN for Temporarily ALLOW & ALLOW, ORANGE for "secondary" origin(s), RED for DENY).
  5. It provides for setting ALL policy rules without requiring reopening the menu.
  6. This could be optionally implemented with ACCEPT / CANCEL buttons to confirm changes, thereby permitting multiple changes and reloading only once.

HOWEVER

  1. The proposed use of select boxes is not traditional for the page Context Menu item. May not be traditional for Toolbar icon. It is appropriate for the statusbar icon.
  2. Multiple rules between same origin and destination with different specificity and policy is not clearly handled. One idea is that use of the ACCEPT button with different settings would automatically insert a new rule row; however, the principle of least surprise should apply here.
  3. ANYWHERE to ANYWHERE rules may be inadvertently set, surprising unwitting users. Perhaps disable the second ANYWHERE if a user already selected one, unless a special preferences setting is enabled?
msxfm commented 10 years ago

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT


imported trac comment
created: 2010-05-02 17:35:14
author: eibwen

A second proposal was previously submitted as #70.

msxfm commented 10 years ago

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT


imported trac comment
created: 2010-05-02 17:49:42
author: eibwen

74 notes that it would be useful to see full specificity and optionally down select.

msxfm commented 10 years ago

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT


imported trac comment
created: 2011-02-05 12:58:25
author: eibwen

167 also identifies that the menu does not present all policy states (ALLOW vs Temporary ALLOW).

msxfm commented 10 years ago

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT


imported trac comment
created: 2011-06-08 03:36:53
author: eibwen

Deferring interface to support the varying levels of specificity (eg http://static.example.com, static.example.com, and example.com) until the related bugs are resolved, let's focus on the origin (local/foreign) and state (allow/deny).

Currently, the organization is as follows:

  Foreign Origin > [Foreign Origin 1] > [Foreign Deny]
                                      > [Foreign Allow]
  [Local Deny]
  [Local Allow]

Criticisms:

Interim Compromise Proposal

  1. Merge the allow and deny policy sections.
    • Color distinction is sufficient to differentiate allow / deny.
    • Bold font can be used to differentiate temporary from permanent.
    • Improve user experience by not having sites appear to "jump" from one place to another.
      1. Merge all requests into a singular menu with appropriate headings.
    • At a glance visibility to all cross-site request activity and corresponding policy.
    • Facilitate faster foreign origin policy changes.
      1. Change the policy-setting submenuitems to be radiomenuitems.
    • Permanently / Temporarily Allow / Deny are four exclusive states.
    • This would facilitate changing multiple policies without having to re-open the menu.

See attached csrf-mockup.png screenshot for a mockup.

Note the following:

The proposed seems the cleanest, most accessible interim solution, that can be implemented the most readily...