Chrome is going to disable RC4 without any click-through override UI. They will have only about:flags option, command-line switch, and group policy for enterprise. https://codereview.chromium.org/1422293002/ We should remove our fallback UI ASAP. If Chrome 48 release is earlier than us, we should even consider to remove the UI from Fx44 (that is, never ship the UI from the start).

[Tracking Requested - why for this release]:

In case we remove the fallback UI from Fx44.

Comment on attachment 8679991 [details] [diff] [review] Strings for non-overridable errors Review of attachment 8679991 [details] [diff] [review]: ----------------------------------------------------------------- r=me if the strings were signed off ::: browser/locales/en-US/chrome/overrides/netError.dtd @@ +224,5 @@ > <!ENTITY weakCryptoAdvanced.title "Advanced"> > <!ENTITY weakCryptoAdvanced.longDesc "<span class='hostname'></span> uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe."> > <!ENTITY weakCryptoAdvanced.override "(Not secure) Try loading <span class='hostname'></span> using outdated security"> > +<!ENTITY weakCryptoAdvanced.desc2 "Why can't I go to <span class='hostname'></span>?"> > +<!ENTITY weakCryptoAdvanced.desc3 "The website owner has asked &brandShortName; to stop this page from loading. It's not your fault, and it's not &brandShortName;'s fault."> Has asked us to stop this page from loading? Sounds weird... are these signed off by a copy editor?

I took this string from the mock-up for bug 1202488. https://brampitoyo.github.io/fx-untrusted-connection/severe.xhtml Since nobody objected the string, I assume it is signed off.

Missed the train :(

Sorry about that, I wasn't aware that the deadline moved :( If you uplift today it might still be doable, create a patch for Aurora and ask for approval.

Comment on attachment 8679991 [details] [diff] [review] Strings for non-overridable errors Approval Request Comment [Feature/regressing bug #]: N/A [User impact if declined]: Users will not see descriptions why Firefox refused to load the webpage if RC4 fallback UI is withdrawn. [Describe test coverage new/current, TreeHerder]: Build locally, string change only. [Risks and why]: Very low, string change only. [String/UUID change made/needed]: string change (only) missed due to the merge day shift.

I'm not sure that pre-landing strings in uplift is a good idea. Also, the risk analysis should be matching that of the patch that you need to uplift to actually use these strings, IMHO. I'd also like to see an ETA for the actual patch.

I would also suggest to have a proper copy review. Having a general overview of all Firefox strings, these look "interesting". For example: there's not a single instance of "a little bit" in all mozilla-central, I don't remember seeing "fault" either.

We can't decide whether the string is used until Chrome 48 is released, but obviously it is too late to change the string. So I have to land the string now.

(In reply to Francesco Lodolo [:flod] from comment #10) > I would also suggest to have a proper copy review. Having a general overview > of all Firefox strings, these look "interesting". How can I request a copy review?

I confess it confuses the heck out of me the Chrome 48 reference, and the fact that we *have* to land the strings. I don't know exactly how copy review normally works in Firefox, hopefully Matej can at least help here in lack of a clearer process. Strings https://hg.mozilla.org/integration/fx-team/rev/72cfa6eac21f Screenshot (bottom of the page). https://bug1202488.bmoattachments.org/attachment.cgi?id=8657925 @Matej Can you give some suggestions?

The risk of the actual patch will also be pretty low. It will only replace a link with some strings (that are added here) in the error page.

A string review is already underway, but we were expecting the deadline for uplift to be Monday, so we missed the boat on this one. The current version I see in that document has indeed addressed the points raised by flod in comment 10. I'll post the final versions here once the review is finalized.

Comment on attachment 8679991 [details] [diff] [review] Strings for non-overridable errors Canceling the uplift request until the string is finalized.

I would also back-out from fx-team to avoid unnecessary confusion, assuming that's possible https://hg.mozilla.org/integration/fx-team/rev/72cfa6eac21f

(In reply to Francesco Lodolo [:flod] from comment #13) > > @Matej > Can you give some suggestions? I think we could really simplify this and collapse it into a single question and answer: Why won't <span class='hostname'></span> load? The website owner has asked &brandShortName; to stop this page from loading. Try visiting it later or from another network. The only thing that's not clear to me is what "another network" means. Is that helpful to a user if they don't understand it or know how to use/access a different network?

The last sentence as I see it in the document under review reads: "Try visiting this page later, or visit it using another internet connection". Matej, I will CC you on the review thread if you weren't already.

Backout: https://hg.mozilla.org/integration/fx-team/rev/5db171f726b2

Unfortunately the strings aren't final yet, what we have so far is this: Why can’t I go to [URL]? Because the website administrator needs to fix its server first. Unfortunately, there’s nothing you or Firefox can do. How do I fix it? Try visiting this page later, or visit it using another internet connection. On the other hand it doesn't seem likely to remove the RC4 warning in 44, so there is no rush to get these strings in.

I mentioned this in another bug, but I feel like we can combine these into one: Why can’t I go to [URL]? Because the website administrator needs to fix its server. Try visiting the page later or from a different Internet connection.

Are strings finalized? If not, What's the ETA? > On the other hand it doesn't seem likely to remove the RC4 warning in 44, so there is no rush to get these strings in. I would like to land the strings because Chrome 48 release is expected in mid-Jan 2016.

Folks, can I asked who approved all this? :emk mentions in the description that we should "consider" this, but I don't see any discussion where it's been considered, nor anyone giving final approval to back out the override.

We can't decide at this point because Chrome may add an override UI later. But it is impossible to change our strings when Chrome 48 is released. So I'm proposing to land only strings for now.

Thanks for the explanation :emk. Updating the bug summary.

Update: Talked to rbarnes offline and we're still committed to shipping with the override UI. I appreciate the effort to be ready in case we change our minds (thanks emk), but since we're committed to this, it's not needed. Can you back out whatever changes were made please?

Changes are already backed out (see comment #20).

Awesome - thanks for the quick response!

Since this is a wontfix, I do not feel the need to track it. Please renominate for tracking on another FF version if we decide to land this patch in the future.

Removing leave-open keyword from resolved bugs, per :sylvestre.