Closed Bug 184074 Opened 22 years ago Closed 13 years ago

Syntax highlighting in url bar

Categories

(SeaMonkey :: Location Bar, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 689139

People

(Reporter: ra_hardy, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Build Identifier: 

Could syntax highlighting not be used in the url bar?  A basic version would 
just make the hostname bold, purely to make it stand out.    A more complex 
version would use different colours for the protocol, hostname, query string 
etc.

Reproducible: Always

Steps to Reproduce:
Type a url in the url bar

Actual Results:  
N/A

Expected Results:  
Mozilla would neatly and automatically make the hostname bold and use 
appropriate colours for the different parts of the url
I would find that kind of clutter in the urlbar very distracting.
Can you give any reasons for why you think it's needed?
URLs in themselves are very cluttered (take this one, 
http://bugzilla.mozilla.org/show_bug.cgi?id=184074, for instance).  I think 
it'd be useful to emphasise what host you're on as that's the important bit.  
The rest of it is pretty much irrelvant (as you either bookmark the page or 
find it via a search engine).  Hostnames are probably the only part you ever 
type in, so emphasising it helps out if you're not au fair with the anatomy or 
a URL.

In the same vain, the whole url bar could turn red if on a secure site - much 
more striking that a teeny tiny padlock symbol and a million pop-up dialogs. 

And if you don't like the 'clutter', you could turn it off.
How do you mean it helps someone unfamiliar with the "syntax" of an URL?
If they don't know which part the domain is, why would it mean any more if
written in pink?

As you say..the hostname is about the only part you ever type in. It's something
users get familiar with during their very first session with a browser.

This is pure bloat. Recommend WONTFIX.
I disagree with your point - 'normal' users don't get used to the concept of
hostnames.  It's a weird tekky thing.   Making the hostname bold adds a link
between what the user typed into the url bar and what appears when the page loads.
I'm sure some people wouldn't like it, but others might. worth considering,
particularly as it would help with some security issues with misleading URLs
like http://www.microsoft.com\thisisarealURLhonest@mozilla.org/ or whatever...

confirming as an RFE...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: PC → All
Just two minor things I'd like to add:

- highlighting in a colour (eg blue) might be less obtrusive than highlighting
bold (and under most circumstances equally distinguishable).

- any such syntax highlighting would IMO only really need to occur after the
resource starts actually loading (ie, after any redirects and *not* during
typing) so as to make the user aware if they have loaded a spoofed URL.
Personally, I think that this is an excellent idea.  If you don't like it, don't
use it.  But for those who would find it useful, it would be a big boon.  I'm
not sure if I (personally) would use it or not, but I'd certainly like to have
the option - I'd at least turn it on and see what I thought.

I also think that it would help educate non-technical people as to the nature of
what they're seeing in the location bar - typically, I'm sure, it's all just a
mass of unintelligable characters.  If it's broken down into its component parts
in this fashion, it would help make things clearer.
There is also some discussion of this idea at MozillaZine here:

http://www.mozillazine.org/talkback.html?article=4078#17

This is in relation to the recent Microsoft security flaw, that Mozilla is
partially affected by, whereby the URL shown is not the actual URL visited.  (In
Mozilla, it's the status bar display that's incorrect.)

Thinking on this, the same kind of highlighting of the location bar URL
could/should also be applied to the status bar URL displayed when hovering over
a link.  As the other discussion mentions, this would help cut down on
"phishing" by explicitly drawing your attention to the fact that what the page
says you're getting is not what you're actually getting.
Many sites actually educate users to look at the URL in determining that the
site is really what it should be (I think PayPal was mentioned as an example).

Color can not be the only distinguishing way because of color blindness and
two-color (B&W) devices - bold host name seems like the best option to me. (But
please note that bold hostname would still not fix the spoofing issue
completely, because you could push the host name outside the visible area in
URLbar, and you could also force open a window without a URLbar.)
would underlining up to and including an @ work for this ?

http://www.microsoft.com%2f%00@bugzilla.mozilla.org/show_bug.cgi?id=184074#c10

type URIs would then be more spottable

including bold bugzilla.mozilla.org as well wouldn't hurt
Attached image Possible locations to display host name (obsolete) —
Initially this bug report seems like a good idea.
However after I reviewed it more, I don't think it's appropriate to be
highlighting the host name in the address bar. I think overall it will look
silly and people won't "get it".
We are talking about the subject of user education and I asked some users who I
consider slightly above average in computer skills and knowledge. If they could
tell what website/domain the would be at by looking at just the following
spoofed url:
http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm
They all replied microsoft.

Mozilla users tend to be more knowledgeable than the average IE user and I
still belive syntax highlighting will not work. Considering it will be a piece
of cake for the website spoofer to change the above url to be:
http://www.microsoft.com%01windows.blah.blah.blah.asdf.9009817216avweeffw3223q2351515la.aflwe@zapthedingbat.com/security/ex01/vun2.htm

Until the host name is outside the visible area.

The average user doesn't know the difference between a URL and a hostname. 
If the hostname is highlighted you will still have to train people to know what
that means.
So telling them that the hostname is after the @ or the hostname is highlighted
will still be a great undertaking.

I suggest a reasonable thing would be to display the URL as we do now then
display the hostname seperately. As users surf legitamite sites they will
notice that the url, the website content they see and the hostname all
correspond.
When they get a spoofed site it will be clear what the hostname is and they
will know not to trust it. This solution doesnt require education because the
GUI interface will be intuiative.

See the attached jpeg, look for the 4 stars where i suggested the hostname
appear. My personal favorite is below the tab title, but the tabs arent always
long enough. any input or better placement suggestions are welcome.

I know layout changes are going to be hard to make in 1.X so this may be a 2.0
solution.
> They all replied microsoft.

Which would, obviously, be wrong.  If the real host name were highlighted, then
it would help them to understand their error.  This is actually an argument in
*favour* of highlighting, not against it...

> Until the host name is outside the visible area.

Which can happen with any part of the URL, and not, I think, something that will
happen with *any* kind of regularlity at all.  What you're proposing is an edge
case that will almost never happen - certainly not often enough to be considered
here.  (You could always open another bug that implemented a horzontal scroll
for the location bar.)

> I suggest a reasonable thing would be to display the URL as we do now then
> display the hostname seperately.

First, I don't like it.  Especially as a solution to correct the problems with
highlighting you mention that I don't see as problems.  I think it makes things
too cluttered, and we should make use of the text that we're already displaying.
 Secondly, that's not this bug.  If you want to see that, you should file
another bug and bring it up there.  This bug isn't about possible solutions to
bring users' attention to the actual host being visited - rather it's about one
solution specifically, that of highlighting URL text.
Jason, I'm trying to make a case against this feature request, that is why I
mention other possible solutions.

>Which can happen with any part of the URL, and not, I think, something that will
>happen with *any* kind of regularlity at all.  What you're proposing is an edge
>case that will almost never happen - certainly not often enough to be considered
>here.  (You could always open another bug that implemented a horzontal scroll
>for the location bar.)

I pointed out that the highlighted hostname could be moved outside the visible
address bar, which would defeat the security solution that highlighting would
provide, that is the number 1 reason this feature request would not solve the
spoofing problem. Which you added to this discussion.
Spoofer don't normally make the password field long because they can trick the
user, if the user was able to see the hostname clearly then they would push it
beyond the visible area with a greater frequency.
I just filed bug 228612, which proposes a solution to the long-username problem.
> I pointed out that the highlighted hostname could be moved outside the visible
> address bar, which would defeat the security solution that highlighting
> would provide

     I beg to differ. The absence of visible highligh is a pretty good clue that
something is amiss (why www.microsoft.com is no longer bold ?). For the user,
visible highlight == good, no visible highlight == bad.
     I think the only security argument that can be made is that the clue may be
too subtle for most users, and they will just ignore it, whereas a popup is "in
your face" (and that's why we hate popups ;-).
     Note that this RFE is not purely about improving security, highlighting has
other advantage like making it easier to cut'n'paste bits of the URL or remocing
components. For example, I don't think highlighting of "view page source" was
done for security reasons.
One possible solution is to be very explicit and instead of displaying the URL
in the status bar display something like

location:http://microsoft.com username:mozilla.org password:foobar

for a url like mozilla.org:foobar@microsoft.com 

or just

site:http://mozilla.org/projects/firebird/index.html

for a URL like http://mozilla.org/projects/firebird/index.html

Even if the URL is truncated, the user would see part of the hostname (rather
than part of the username). It also makes the URL bar user friendly for people
who don't read RFCs about URI formats (i.e. everyone).


Just out of interest, would the patch (this *doesn't* mean I'm planning to write
a patch!) for this be to nsWebShell::OnOverLink so that it:
1) It extracted the protocol host, path, username and password from the URI 
using aURI->GetScheme(), aURI->GetHost(), aURI->GetPath(), aURI->GetUsername()
and aURI->GetPassword()
2)Use the StringBudleService to get some localised prefixes ("Location")
3)Concatenate the strings as required for display
4) Call UnEscapeURIForUI on the combined string <-- would you have to do this on
each part of the URI individually?
5) Call SetStatus, passing the new string.
Argh, sorry, I didn't read the summary properly <blush> My suggestion obviously
applies to the status bar not the url bar (typos notwithstanding).I really want
a different bug.
Blocks: 232560
Comment on attachment 137389 [details]
Possible locations to display host name

Discussed in bug 122445. Dup?

And adding a hostname filed (mockup attachment) is offtopic here.
Attachment #137389 - Attachment is obsolete: true
*** Bug 232792 has been marked as a duplicate of this bug. ***
Hi everyone. Just to say that I had the same idea (url syntax highlighting) some
days ago, and today I've found that ra_hardy proposed it in 2002. 

Well, I agree that syntax highlighting (SH) is a very good idea in order to
improve the url bar. SH makes it easier to view/understand the url_bar contents,
in a similar way that in source code files (i.e. html source code).

I've made a image to show how it would look like. The image is attached to this
bugzilla page, and can be accesed here:

http://bugzilla.mozilla.org/attachment.cgi?id=143118&action=view

I think it would be a very useful innovation for the user interface, specially
for medium-advanced users, and of course it would have an option in Preferences
in order to be enabled/disabled. And probably the suggestion is also easy to
implement, since the browser parses a url when a page is going to be loaded, so
the structure/parts of a url are known - they only have to be colourized.

Thanks guys!
*** Bug 243292 has been marked as a duplicate of this bug. ***
Flags: blocking1.8a6+
Flags: blocking1.8a6+
Can this feature-request be implemented in Firefox 1.5 release?
*** Bug 315329 has been marked as a duplicate of this bug. ***
This type of feature would be useful in helping people spot phishing sites. One thing I should note is that in HTTPS mode the hostname is actually placed in the status bar, but not in FTP or HTTP. It would be useful for the actual host name to always be present in the status bar.

Though I must admit it was only today when visiting an HTTPS site did I notice the host name in the status bar. I wonder how many people would miss that too.
Product: Core → SeaMonkey
Assignee: hewitt → nobody
QA Contact: claudius → location-bar
The IE8 implementation is excellent: it's discreet but unambiguous, and quite clearly indicates when something funny is going on with the URL. We should adopt the same solution.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: