User is unable to visit "https://" page with expired certificates

[SimonBasca]

Steps to reproduce:

1. Go to "badssl.com"
2. Tap on expired certificates.

Actual results:

• User is unable to visit page with expired certificates

Expected results:

• A warning page should be displayed with two options: 1) Go back 2) Visit anyway

Note:

• The issue is reproducible only for "https" pages with expired certificates.

Device: iPhone 12 Pro (15.0.2 ) Build: main 131df6

┆Issue is synchronized with this Jira Task

[rtestard]

We will limit this bug to implement the way Firefox handles these links by giving users an option to access the site. We'll open another issue related to UI improvements.

[razvanlitianu]

@rtestard Webpage is configurable. We can either replicate the same behaviour as Firefox ar come up with a new design for Focus.

[rtestard]

Thanks @razvanlitianu @jeffreygee Would it make sense to re-use the Android error pages on Focus in this instance?

[jeffreygee]

@rtestard I'm not sure because the ones on Android talk about having HTTPS on by default. See screenshot below:

But, if I'm reading this ticket right, it is an HTTPS site with just an expired certificate so the directions on this one wouldn't make sense. So, I think we can just carry over the one that's implemented in Firefox. Thoughts?

[rtestard]

Oh I thought Focus iOS had HTTPs only implemented and on by default, does it not @razvanlitianu ?

[razvanlitianu]

The message on Android is a bit misleading, I'm looking at the URL and it has https. The issue is with the certificate. @Mugurell Am I missing something?

[Mugurell]

The screenshot from https://mozilla.slack.com/archives/C03AT7XCP41/p1652202810758529 seems like a bug. @jeffreygee Can you reproduce seeing the https error page consistently? Does it happen in other scenarios also? It may be worth a ticket on focus-android.

[Mugurell]

Trying both the http only and expired certificate scenarios on Focus - Android v. 105.2.0 (latest release) with https-only mode activated I get:

page does not support https	page has expired certificate

[Mugurell]

The code and strings used on Android are available at https://github.com/mozilla-mobile/android-components/tree/main/components/browser/errorpages. Open to chat about them.

[rtestard]

@jeffreygee Do we have designs for the Focus error pages? We need a structure to follow in order to provide a custom message for this specific error.

[jeffreygee]

@rtestard - I'm not super familiar with us having them. Let's talk through this at next week's meeting. Might be something to include @ewachowiak on too

[rtestard]

@jeffreygee If you go to badssl.com and select "Expired" using Firefox (not Focus) on ios you'll see the Firefox UI for this error page. Does that sound OK to use this UI on Focus?

[jeffreygee]

Just an update - I have created a Jira ticket for @ewachowiak to review content on the template. (cc: @rtestard)

[ewachowiak]

@jeffreygee & @rtestard I updated the copy in this file and got it reviewed by the localization team and the content design team. It would be great to get an engineer to review this copy too for technical accuracy.

I'm also recommending that we update the Android pages too. Android actually requires some slightly different copy for the HTTPS error because the setting can be turned off in Android but not iOS

[Mugurell]

Created https://bugzilla.mozilla.org/show_bug.cgi?id=1812517 for updating the error pages on Android.

[razvanlitianu]

Hi @ewachowiak , as far as I am aware, the Focus iOS app does not currently have a feature called "HTTPS Only mode" with a toggle switch. I have been able to access HTTP pages while using the app, and I am curious if you are able to do the same. It may be worth considering adding this feature and including a toggle switch for it. @martinbalfanz , what are your thoughts on this? Is it possible to create a separate task or "story" for this feature to be developed? Also, do you know if the Firefox iOS app has this feature?

[ewachowiak]

@razvanlitianu Yes, please use this frame for the iOS copy, which does not mention the setting. This frame was just to illustrate the difference in the Android copy.

Firefox iOS does not have the ability to turn on HTTPS only mode either. But I see what you're saying, if you're able to access HTTP pages on Firefox Focus, then do we need this page at all?

@rtestard We'd need to create a SUMO link about HTTPS on iOS, similar to this Android one.

[martinbalfanz]

@razvanlitianu agreed, we should track this feature. I was under the assumption that we had it already. I'll file the issue for it! I'm not aware that regular Firefox has it, and I can't find it anywhere in the settings.

For this particular bug, this frame seems to be what we want.

@ewachowiak We're still discussing whether we want to plan for HTTPS-only or HTTPS-first, so it's good to keep the this design in case we decide for the former. I'll track the creation of the SUMO page in the new bug.

[iorgamgabriel]

Do I need to remove "Go Back (recommended)" button ? In figma it doesn't appear any more @jeffreygee @rtestard

[Mugurell]

@ewachowiak About the above question regarding the "Go back" button please note that at the moment all of Firefox desktop, Fenix and Focus have this option so if it is removed only from Focus it will be a significant difference.

[ewachowiak]

I'm not sure why @jeffreygee removed it from the designs. I wasn't aware it had been there before. He's out of office but can comment when he returns on Feb 2. Does this need to be resolved before then?

[Mugurell]

I'm not sure why @jeffreygee removed it from the designs. I wasn't aware it had been there before. He's out of office but can comment when he returns on Feb 2. Does this need to be resolved before then?

We can postpone the changes until a clear direction. Thank you!

[razvanlitianu]

The code and strings used on Android are available at https://github.com/mozilla-mobile/android-components/tree/main/components/browser/errorpages. Open to chat about them.

@Mugurell I noticed the repo is archived. Is there a new place to check them out?

[Mugurell]

The code and strings used on Android are available at https://github.com/mozilla-mobile/android-components/tree/main/components/browser/errorpages. Open to chat about them.

@Mugurell I noticed the repo is archived. Is there a new place to check them out?

The Android projects are being migrated to a monorepo. The upated link should be https://github.com/mozilla-mobile/firefox-android/tree/main/android-components/components/browser/errorpages.

[jeffreygee]

@Mugurell @ewachowiak - I can add it back in. I was using Fenix as a reference and if you visit expired.badssl.com on Fenix, it doesn't have the Go Back button (only the Accept the Risk and Continue), so we might want to make the experience consistent across there too.

[Mugurell]

@Mugurell @ewachowiak - I can add it back in. I was using Fenix as a reference and if you visit expired.badssl.com on Fenix, it doesn't have the Go Back button (only the Accept the Risk and Continue), so we might want to make the experience consistent across there too.

I think you saw the same as me today but @iorgamgabriel helped me remember the two scenarios for expired.badssl.com which function the same in all applications: Fenix, Focus and Firefox desktop:

• if accessing badssl.com and then tapping on expired then users will see both
  • a continue button
  • a back button because they have the badssl.com page in history to get back to
• if accessing in a new tab expired.badssl.com then users will see (in all applications)
  • a continue button
  • no back button because there is no page in history to go back to.