Firefox and the untrusted SSL “warning”, even more to it
There seem to be some heat about the new Firefox feature that only allows you to open https urls with untrusted certificate after 5 clicks.
The situation is actually worse than what is depicted. Why? Because not only did they put crap to their users, and actually, if they want to, that's their problem, but they also imposed their crap on embedders.
Yes, this means applications such as epiphany, kazehakase, galeon, and others *must* use this crap. I know, there is a browser.xul.error_pages.enabled to disable the error page (note it also disables standard network connection error messages). But, the alternative is not any better: It opens a dialog, with raw HTML in it, allowing to... do nothing. That's it, you can only acknowledge you've been denied access to the so-called untrusted site.
The best part is that these applications can't (or maybe they can, but in several months nobody found how) make the exception dialog work properly: the user will have to enter, himself, the url to add the exception for. And before even reaching the state where you can get the dialog to open from the error page, or even get the buttons to be displayed in the error page itself, you have to add clutter to your application code.
For those still wondering what happened to the Gecko platform or whatever you call it (xulrunner, libxul, mozilla-embed, etc.), here is your answer: Gecko evolves with what Firefox needs. If your application needs something else, well, too bad for you. Firefox developers obviously have a big problem taking embedders into consideration when they change the Gecko API, and while it can be fixed afterwards, it's not a good thing to "tag" a Gecko milestone at the same time as a Firefox release under such conditions.
Anyways, what I did in the xulrunner-1.9 package is to forward-port the old interfaces (nsIBadCertListener) allowing embedders to have their own UI for this. While it was certainly far from perfect (and displaying as many dialogs as different errors on a certificate is definitely not something nice), it is still better than something not working at all.
2008-06-27 08:15:54+0900