Preference Dialog & Context Menu do not readily support all site request policies

[msxfm]

Issue by jsamuel Thursday Dec 22, 2011 at 18:52 GMT Originally opened as https://github.com/RequestPolicy/requestpolicy/issues/100

---

imported trac ticket
created: 2010-05-02 13:51:39
reporter: eibwen

There are at least three parameters for a site policy rule: (a) Applicability: origin, destination, or origin-to-destination; (b) Specificity: 2nd level domain, full domain, full domain + protocol + port; and (c) Policy: DENY, Temporary ALLOW, ALLOW (and with [#6], BLACKLIST)

The current UI is structured to support distinctly separate applicability at predefined specificity, with policy state changes only (eg Temporarily ALLOW <-> ALLOW is not directly supported).

Further, the current UI is inconsistently structured. The Preferences dialog segregates each applicability to separate tabs, despite the fact that the same site may appear in all lists. Perhaps the export/import format is more conducive to editing; however, it should not be required for typical changes. The Context Menu separates "primary" origin from destination and origin-to-destination, and "secondary" origin(s) are segregated to a submenu; however, the destination and origin-to-destination applicability is not separated. The Specificity setting can only be changed from the Preferences dialog, and is not separately configurable for origins-to-destinations. Moreover, cross site requests more specific than the current setting are not shown, whereas the user may still want to implement policy, but be unaware of the request, and thus the need to change the setting.

As a result, users likely attempt to specify policy solely through the Context Menu with limited specificity setting changes. However, this does not seem to match the average use case, where users trust different origins and destinations (even as part of an origin-to-destination) separately. It also inhibits same policy state changes, such as users setting Temporarily ALLOW, confirming the result, and then upgrading to ALLOW.

The full matrix of possible combinations is significant, particularly as the origin-to-destination applicability should allow separate specificity. This will only get significantly more complex when BLACKLIST support is added.

This bug is intended to open a dialog about the UI usability and consistency issues to propose changes and make improvements.

[msxfm]

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT

---

imported trac comment
created: 2010-05-02 16:23:26
author: eibwen

Proposal

Use select boxes for specificity and policy, with a special specificity option ANYWHERE to provide for all applicability options. Treat the specificity setting as a DEFAULT specificity selection, and pre-select options accordingly.

For example, options for a single page may look like (rows indicate different rules):

FROM	TO	POLICY IS
www.example.com	static.example.com	ALLOW
example.com	http://this.othersite.example:80	Temporarily ALLOW
static.example.com	ANYWHERE	DENY

With options for a rule (rows indicate different options from SAME select box):

FROM	TO	POLICY IS
ANYWHERE	ANYWHERE	DENY
example.com	site.example	Temporarily ALLOW
www.example.com	static.site.example	ALLOW
http://www.example.com:80	http://static.site.example:80	(BLACKLIST)

See attachment for a screenshot of a mockup in Gtk+.

BENEFITS

1. This organizes all policy rules regardless of applicability or policy.
2. It provides for varying levels of specificity, without having to repeatedly toggle settings.
3. It would eliminate all the submenus from the Context Menu.
4. It could preserving the color scheme (GREEN for Temporarily ALLOW & ALLOW, ORANGE for "secondary" origin(s), RED for DENY).
5. It provides for setting ALL policy rules without requiring reopening the menu.
6. This could be optionally implemented with ACCEPT / CANCEL buttons to confirm changes, thereby permitting multiple changes and reloading only once.

HOWEVER

1. The proposed use of select boxes is not traditional for the page Context Menu item. May not be traditional for Toolbar icon. It is appropriate for the statusbar icon.
2. Multiple rules between same origin and destination with different specificity and policy is not clearly handled. One idea is that use of the ACCEPT button with different settings would automatically insert a new rule row; however, the principle of least surprise should apply here.
3. ANYWHERE to ANYWHERE rules may be inadvertently set, surprising unwitting users. Perhaps disable the second ANYWHERE if a user already selected one, unless a special preferences setting is enabled?

[msxfm]

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT

---

imported trac comment
created: 2010-05-02 17:35:14
author: eibwen

A second proposal was previously submitted as #70.

[msxfm]

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT

---

imported trac comment
created: 2010-05-02 17:49:42
author: eibwen

74 notes that it would be useful to see full specificity and optionally down select.

[msxfm]

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT

---

imported trac comment
created: 2011-02-05 12:58:25
author: eibwen

167 also identifies that the menu does not present all policy states (ALLOW vs Temporary ALLOW).

[msxfm]

Comment by jsamuel Thursday Dec 22, 2011 at 18:52 GMT

---

imported trac comment
created: 2011-06-08 03:36:53
author: eibwen

Deferring interface to support the varying levels of specificity (eg http://static.example.com, static.example.com, and example.com) until the related bugs are resolved, let's focus on the origin (local/foreign) and state (allow/deny).

Currently, the organization is as follows:

  Foreign Origin > [Foreign Origin 1] > [Foreign Deny]
                                      > [Foreign Allow]
  [Local Deny]
  [Local Allow]

Criticisms:

• This structure is inconsistent. Local origin requests are included directly in the main menu with no "Local Origin" header; however, foreign origin requests menuitems are placed in a 3rd level submenu with two levels of submenu headers.
• Further, the separation of allow and deny request policy necessitates that sites jump between the sections as policy changes.

Interim Compromise Proposal

1. Merge the allow and deny policy sections.
   • Color distinction is sufficient to differentiate allow / deny.
   • Bold font can be used to differentiate temporary from permanent.
   • Improve user experience by not having sites appear to "jump" from one place to another.
     1. Merge all requests into a singular menu with appropriate headings.
   • At a glance visibility to all cross-site request activity and corresponding policy.
   • Facilitate faster foreign origin policy changes.
     1. Change the policy-setting submenuitems to be radiomenuitems.
   • Permanently / Temporarily Allow / Deny are four exclusive states.
   • This would facilitate changing multiple policies without having to re-open the menu.

See attached csrf-mockup.png screenshot for a mockup.

Note the following:

• The red and green colors used were generic to present the idea. Colorblind accessibility would likely necessitate using slightly different hues. General accessibility may recommend using imagemenuitems for sites to reflect allow/deny states graphically.
• The sequence of radiomenuitems is intentional for user experience:
  • Temporary Allow is first option for expedience (default Deny > basic Allow state)
  • Permanent Deny is last option for ease of targeting
  • Other states are in the middle and grouped in allow/deny sequence
• The heading ("FROM site TO:") could be changed to indicate origin, eg ("FROM site (foreign) TO:") or similar.
• The listed sites could be sorted in reverse domain order (eg "org.example.static") to provide a consistent ordering and maintain destination grouping. This could either be an internal only sorting key (still displaying as standard "static.example.org") or perhaps an opt-in option for those inclined to actually display reverse as well.

The proposed seems the cleanest, most accessible interim solution, that can be implemented the most readily...