Closed Bug 911880 (trusted-window) Opened 11 years ago Closed 9 years ago

[Window Management] Rework TrustedUI implementation by BaseWindow or AppWindow

Categories

(Firefox OS Graveyard :: Gaia::System::Window Mgmt, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::System::Window Mgmt
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
2.1 S1 (1aug)

People

(Reporter: alive, Assigned: gduan)

References

Details

(Whiteboard: [p=3])

Attachments

(2 files)

PR to master
46 bytes, text/x-github-pull-request
alive
: review+
alive
: feedback+
Details | Review
Screenshot
84.20 KB, image/png
Details 
Currently we're maintaining the app origin in trustedUI, Modal Dialog, Popup Manager, Attention Screen and all other app specific dialog (except for error dialog, it's moved into appWindow already).

We want to move trustedUI into AppWindow or BaseWindow class and after that we don't need to listen appwillopen/appopen/appwillclose/appclose event anymore.

And with this we could reuse anything has implemented in appWindow like appError.
Component: Gaia::System → Gaia::System::Window Mgmt
No longer blocks: task-manager
Alias: trusted-window
A nontrivial one, wanna to challenge?

* Implement TrustedWindow
* Use child_window_factory to open TrustedWindow
* Fix the transition problem when moving trustedWindow in AppWindow
Flags: needinfo?(gduan)
Take it.
Assignee: nobody → gduan
Flags: needinfo?(gduan)
Whiteboard: [p=3]
Target Milestone: --- → 2.0 S6 (18july)
Target Milestone: 2.0 S6 (18july) → 2.1 S1 (1aug)
[Blocking Requested - why for this release]:

Nominated this as 2.1+ as bug 1094550 has been marked as v2.1+.
blocking-b2g: --- → 2.1?
status-b2g-v2.1: --- → affected
status-b2g-v2.2: --- → affected
Hi George,

As our discussion, if you're working on this, please be informed this would be needed for v2.1 blocker.
If not, please help share your WIP and maybe I can help follow up.

Thanks.
Flags: needinfo?(gduan)
(In reply to Rudy Lu [:rudyl] from comment #4)
> [Blocking Requested - why for this release]:
> 
> Nominated this as 2.1+ as bug 1094550 has been marked as v2.1+.

I don't think it make sense to nominate refactor work as 2.1+ blocker. You need to consider the risk of introducing more blocker to v2.1 too.

Could we do a regression fix on bug 1094550 instead?
Flags: needinfo?(rlu)
See bug 1094550 comment 21, sorry for overlooking the risk and workload that might come with this refactoring, will tackle bug 1094550 with a regression fix.
blocking-b2g: 2.1? → ---
status-b2g-v2.1: affected → ---
status-b2g-v2.2: affected → ---
Flags: needinfo?(rlu)
Flags: needinfo?(gduan)
Attached file PR to master 
Hi Alive,
could I have your feedback on this patch? I hope I'm on the right direction.
Attachment #8522247 - Flags: feedback?(alive)
Comment on attachment 8522247 [details] [review]
PR to master

Please move all specific elements into TrustedChrome and done event handling there. Minimize the specific code in TrustedWindow.
Attachment #8522247 - Flags: feedback?(alive)
Comment on attachment 8522247 [details] [review]
PR to master

Hi Alive,
could I have your feedback again? Thanks!
Attachment #8522247 - Flags: feedback?(alive)
Comment on attachment 8522247 [details] [review]
PR to master

nits in github
Attachment #8522247 - Flags: feedback?(alive) → feedback+
Comment on attachment 8522247 [details] [review]
PR to master

Hi Alive,
could you review this patch? Thanks.
Attachment #8522247 - Flags: review?(alive)
Comment on attachment 8522247 [details] [review]
PR to master

Well done! especially for integration test. Pay attention to following regression bug if any. Thanks!
Attachment #8522247 - Flags: review?(alive) → review+
master: https://github.com/mozilla-b2g/gaia/commit/7ac2a7f98b144f5f41a32d0b22b33ebe849317a9
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Thanks George and Alive! This is quite an excellent work. We were really hoping to get rid of the old Trusted UI for a long time [1][2] :)

However, as I mentioned on IRC, we missed some input from the security folks here :( We need to keep them in the loop for this kind of changes.

Let's forget about the old trusted UI and the homescreen overlay. I believe we all agree that that design wasn't good and it didn't really provided any real security for the user.

Looking at what we landed here, it seems that we are still not providing enough security for users :( We are opening a regular popup window loading the identity and payment flows where we only show the title of the embedded page and a padlock if it is an https content (which has to be at least for this two APIs cause the implementation enforces it). There is no way for the user to know the URL or the SSL verified information of the embedded content. IMHO we should show this. And as we discussed in IRC, we should do this for all cases, not only for the trusted UI special case. This information should always be available to the user, as it is in the desktop browser [3].

Now, how can we show this information in a way that cannot be (easily) spoofable?

As we said on IRC, one option is to always show this information in the rocketbar. But this is quite easy to mock with a fullscreen app. So IMHO that shouldn't be the solution.

What I think is a better place for this information is the task switcher. This UI can only be shown by holding the home button which triggers an event that 3rd party apps cannot capture and so cannot spoof. It also give us far more screen space than the rocketbar, so we can show more information (and probably with a better UI design).

What do you think?

[1] https://groups.google.com/forum/#!searchin/mozilla.dev.b2g/redesigning$20the$20trusted$20ui$20/mozilla.dev.b2g/aH4rDn3qEiQ/QWF-Nmv9VdQJ
[2] https://groups.google.com/forum/#!msg/mozilla.dev.b2g/t4Fd5r7MD3w/ZAU5sk1eREwJ
[3] https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure
Flags: needinfo?(ptheriault)
Flags: needinfo?(amac.bug)
Attached image Screenshot 
This is how the trusted UI looks like after this patch. There is now way to check the URL, the padlock is not clickable and there is no additional information about the embedded content anywhere.
> What I think is a better place for this information is the task switcher.
> This UI can only be shown by holding the home button which triggers an event
> that 3rd party apps cannot capture and so cannot spoof. It also give us far
> more screen space than the rocketbar, so we can show more information (and
> probably with a better UI design).
> 
> What do you think?

That sounds good to me. Currently we actually already show the URL of hosted apps in the task switcher. 

But there are a couple challenges:
- the home button cancels the mozpay dialog. We'd need to catch for long press and I dont imagine that dialogs actually show up in the taskswitcher right now
- To be consistent, we need to show for the browser too. Which will mean some kind of API for the browser to be able to set the URL based on the whatever it is showing in the address bar. I don't know how the integrated system browser works but there is probably some way for the task manager in the system app to observe the browser app and figure out what page is being displayed? Not sure. 

Its not the most discoverable place but it sounds like a good start.
Flags: needinfo?(ptheriault)
Flags: needinfo?(amac.bug)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: