[tor-bugs] #8313 [TorBrowserButton]: Display a confirmation upon enabling Flash
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Mar 2 20:45:31 UTC 2013
#8313: Display a confirmation upon enabling Flash
--------------------------------------------+-------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: needs_review
Priority: major | Milestone:
Component: TorBrowserButton | Version:
Keywords: tbb-usability, MikePerry201303 | Parent: #7470
Points: | Actualpoints:
--------------------------------------------+-------------------------------
Comment(by proper):
Replying to [comment:5 mikeperry]:
> Replying to [comment:4 proper]:
> > Bug 1:
> > I saw popup twice right after Tor Browser started with check.top. I
don't think it's the right time?
>
> This was either a race condition or because you already had flash
enabled because it doesn't happen for me. Either way, I attached a new XPI
that should prevent it. Let me know if it actually does.
Still see it right after TB started (twice) and when I want to disable it,
I also get it twice.
> > Suggestion 1:
> > Often read users don't know what an IP address is. Tails devs
recommend to me once to use IP/location instead. No strong opinion here.
> >
> > Suggestion 2:
> > "Harm your privacy" isn't strong enough. "Harm your anonymity"
perhaps? Oh well, you plan on fixing the (#7008) IP bypass problem. Well,
if #7008 gets implemented, you can change back to "Harm your privacy". In
meanwhile, when not using special precautions with stock TBB, IP leak is
imho "Harm your anonymity".
>
> I fixed the text to try to address both of these.
Looks good.
> > Suggestion 3:
> > Time until "ok" can be pressed is too short.
>
> This is a Firefox thing. It is governed by the pref
security.dialog_enable_delay. If we raise that, we raise it for everything
that uses it (including addon install, etc).
Doubling it can't hurt?
> > User experience, without flash enabled:
> > I think it's a bit too difficult for the mortal user. If you trained
them "flash = youtube, flash = no anonymity" and they see the noscript
question, they may say no and be disappointed or create support requests.
"Where can I say yes, where I must say no."
>
> Yeah, I think you're right. I am very conflicted about the NoScript
click-to-play. I am not sure HTML5 video has had enough time for the
underlying codecs to get audited, but the NoScript barrier really is
confusing. I think the "This plugin is disabled" barrier is also
confusing. I am trying to decide if I should just get rid of both of them
for better usability.
I don't know the security/privacy disadvantages by NoScript click-to-play.
I think, if there aren't any, you had already disabled it. In any case,
this ticket needs more commenter.
> > Concern:
> > Users will most likely think "it's ok to enable for youtube", then
they forget to disable it and shoot their own feet. Or not... If I
understand right even with flash enabled they have to activate the plugin
every time for every page/video/click?
>
> This is one of the reasons we have both the Firefox click-to-play
barrier and the blanket enable/disable. If you enable Flash but forget, at
least you're reminded by the click-to-play on other sites before Flash
automatically runs...
Ok.
> I have no idea why Firefox decides to sometimes give you a click-to-play
barrier and sometimes decides to do the dropdown thing, though. :/
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8313#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list