Bug 1500020 - Update cert error page copy based on UX suggestions. r=nhnt11

Differential Revision: https://phabricator.services.mozilla.com/D9080 --HG-- extra : moz-landing-system : lando
2018-10-19 14:50:59 +00:00 · 2018-10-19 14:50:59 +00:00 · d7b28163d3
--- a/browser/actors/NetErrorChild.jsm
+++ b/browser/actors/NetErrorChild.jsm
@ -39,8 +39,6 @@ const SEC_ERROR_UNKNOWN_ISSUER                     = SEC_ERROR_BASE + 13;
 const SEC_ERROR_UNTRUSTED_ISSUER                   = SEC_ERROR_BASE + 20;
 const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE         = SEC_ERROR_BASE + 30;
 const SEC_ERROR_CA_CERT_INVALID                    = SEC_ERROR_BASE + 36;
-const SEC_ERROR_OCSP_FUTURE_RESPONSE               = SEC_ERROR_BASE + 131;
-const SEC_ERROR_OCSP_OLD_RESPONSE                  = SEC_ERROR_BASE + 132;
 const SEC_ERROR_REUSED_ISSUER_AND_SERIAL           = SEC_ERROR_BASE + 138;
 const SEC_ERROR_OCSP_INVALID_SIGNING_CERT          = SEC_ERROR_BASE + 144;
 const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED  = SEC_ERROR_BASE + 176;
@ -160,7 +158,7 @@ class NetErrorChild extends ActorChild {
        // This error code currently only exists for the Symantec distrust, we may need to adjust
        // it to fit other distrusts later.
        case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
-          msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_Symantec", [hostString], 1) + "\n";
+          msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Symantec1") + "\n";
          break;
        default:
          msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Untrusted") + "\n";
@ -178,7 +176,7 @@ class NetErrorChild extends ActorChild {
          if (newErrorPagesEnabled) {
            technicalInfo.textContent = "";
            let brandName = gBrandBundle.GetStringFromName("brandShortName");
-            msgPrefix = gPipNSSBundle.formatStringFromName("certErrorMismatchSinglePrefix2", [brandName, hostString], 2) + " ";
+            msgPrefix = gPipNSSBundle.formatStringFromName("certErrorMismatchSinglePrefix3", [brandName, hostString], 2) + " ";
            msgPrefix += gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
          } else {
            msgPrefix = gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
@ -252,7 +250,7 @@ class NetErrorChild extends ActorChild {
          if (newErrorPagesEnabled) {
            technicalInfo.textContent = "";
            let brandName = gBrandBundle.GetStringFromName("brandShortName");
-            msg = gPipNSSBundle.formatStringFromName("certErrorMismatchMultiple2", [brandName, hostString], 2) + " ";
+            msg = gPipNSSBundle.formatStringFromName("certErrorMismatchMultiple3", [brandName, hostString], 2) + " ";
          } else {
            msg = gPipNSSBundle.GetStringFromName("certErrorMismatchMultiple") + "\n";
          }
@ -269,7 +267,7 @@ class NetErrorChild extends ActorChild {
        if (newErrorPagesEnabled) {
          technicalInfo.textContent = "";
          let brandName = gBrandBundle.GetStringFromName("brandShortName");
-          msg = gPipNSSBundle.formatStringFromName("certErrorMismatch2", [brandName, hostString], 2) + " ";
+          msg = gPipNSSBundle.formatStringFromName("certErrorMismatch3", [brandName, hostString], 2) + " ";
        } else {
          msg = gPipNSSBundle.formatStringFromName("certErrorMismatch",
                                                     [hostString], 1);
@ -398,7 +396,7 @@ class NetErrorChild extends ActorChild {
      // without replicating the complex logic from certverifier code.
      case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
        let description = gPipNSSBundle.formatStringFromName(
-          "certErrorSymantecDistrustDescription", [doc.location.hostname], 1);
+          "certErrorSymantecDistrustDescription1", [doc.location.hostname], 1);
        let descriptionContainer = doc.getElementById("errorShortDescText2");
        descriptionContainer.textContent = description;

@ -421,8 +419,6 @@ class NetErrorChild extends ActorChild {
      // and is not before the build date.
      case SEC_ERROR_EXPIRED_CERTIFICATE:
      case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-      case SEC_ERROR_OCSP_FUTURE_RESPONSE:
-      case SEC_ERROR_OCSP_OLD_RESPONSE:
      case MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
      case MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:

@ -507,23 +503,39 @@ class NetErrorChild extends ActorChild {
          let textContainer = doc.getElementById("text-container");
          errorPageContainer.style.backgroundPosition = `left top calc(50vh - ${textContainer.clientHeight / 2}px)`;
        } else {
-            doc.getElementById("wrongSystemTime_systemDate2").textContent = systemDate;
-            let errDesc = doc.getElementById("ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE");
-            let sd = doc.getElementById("errorShortDescText2");
-            if (sd) {
-              // eslint-disable-next-line no-unsanitized/property
-              sd.innerHTML = errDesc.innerHTML;
-            }
-            if (es) {
-              // eslint-disable-next-line no-unsanitized/property
-              es.innerHTML = errWhatToDo.innerHTML;
-            }
-            if (est) {
-              // eslint-disable-next-line no-unsanitized/property
-              est.textContent = errWhatToDoTitle.textContent;
-              est.style.fontWeight = "bold";
-            }
-            updateContainerPosition();
+          doc.getElementById("wrongSystemTime_systemDate2").textContent = systemDate;
+
+          let errDesc = doc.getElementById("ed_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE");
+          let sd = doc.getElementById("errorShortDescText");
+          // eslint-disable-next-line no-unsanitized/property
+          sd.innerHTML = errDesc.innerHTML;
+
+          let span = sd.querySelector(".hostname");
+          span.textContent = doc.location.hostname;
+
+          // The secondary description mentions expired certificates explicitly
+          // and should only be shown if the certificate has actually expired
+          // instead of being not yet valid.
+          if (msg.data.code == SEC_ERROR_EXPIRED_CERTIFICATE) {
+            let {cssClass} = this.getParams(doc);
+            let stsSuffix = cssClass == "badStsCert" ? "_sts" : "";
+            let errDesc2 = doc.getElementById(
+              `ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE${stsSuffix}`);
+            let sd2 = doc.getElementById("errorShortDescText2");
+            // eslint-disable-next-line no-unsanitized/property
+            sd2.innerHTML = errDesc2.innerHTML;
+          }
+
+          if (es) {
+            // eslint-disable-next-line no-unsanitized/property
+            es.innerHTML = errWhatToDo.innerHTML;
+          }
+          if (est) {
+            // eslint-disable-next-line no-unsanitized/property
+            est.textContent = errWhatToDoTitle.textContent;
+            est.style.fontWeight = "bold";
+          }
+          updateContainerPosition();
        }
        break;
    }
--- a/browser/base/content/aboutNetError-new.xhtml
+++ b/browser/base/content/aboutNetError-new.xhtml
@ -94,6 +94,7 @@
        <div id="ed_nssFailure2">&nssFailure2.longDesc2;</div>
        <div id="ed_nssBadCert">&certerror.introPara2;</div>
        <div id="ed_nssBadCert_sts">&certerror.sts.introPara;</div>
+        <div id="ed_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.introPara;</div>
        <div id="ed_cspBlocked">&cspBlocked.longDesc;</div>
        <div id="ed_remoteXUL">&remoteXUL.longDesc;</div>
        <div id="ed_corruptedContentErrorv2">&corruptedContentErrorv2.longDesc;</div>
@ -103,7 +104,8 @@
        <div id="ed_clockSkewError">&clockSkewError.longDesc;</div>
      </div>
      <div id="errorDescriptions2Container">
-          <div id="ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.secondPara;</div>
+          <div id="ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.secondPara2;</div>
+          <div id="ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE_sts">&certerror.expiredCert.sts.secondPara;</div>
      </div>
      <div id="whatCanYouDoAboutItTitleContainer">
        <div id="edd_nssBadCert"><strong>&certerror.whatCanYouDoAboutItTitle;</strong></div>
@ -112,12 +114,9 @@
        <div id="es_nssBadCert_SEC_ERROR_UNKNOWN_ISSUER">&certerror.unknownIssuer.whatCanYouDoAboutIt;</div>
        <div id="es_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
        <div id="es_nssBadCert_SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
-        <div id="es_nssBadCert_SEC_ERROR_OCSP_FUTURE_RESPONSE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
-        <div id="es_nssBadCert_SEC_ERROR_OCSP_OLD_RESPONSE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
        <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
        <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
        <div id="es_nssBadCert_SSL_ERROR_BAD_CERT_DOMAIN">&certerror.badCertDomain.whatCanYouDoAboutIt;</div>
-        <div id="es_nssBadCert_SEC_ERROR_OCSP_INVALID_SIGNING_CERT">&certerror.badCertDomain.whatCanYouDoAboutIt;</div>
      </div>
      <!-- Stores an alternative text for when we don't want to add "Recommended" to the
           return button. This is one of many l10n atrocities in this file and should be
--- a/browser/base/content/test/static/browser_misused_characters_in_strings.js
+++ b/browser/base/content/test/static/browser_misused_characters_in_strings.js
@ -20,6 +20,10 @@ let gWhitelist = [{
    file: "netError.dtd",
    key: "certerror.sts.introPara",
    type: "single-quote",
+  }, {
+    file: "netError.dtd",
+    key: "certerror.expiredCert.introPara",
+    type: "single-quote",
  }, {
    file: "netError.dtd",
    key: "certerror.expiredCert.whatCanYouDoAboutIt2",
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@ -159,7 +159,9 @@ was trying to connect. -->
 <!ENTITY certerror.introPara2 "&brandShortName; detected a potential security threat and did not continue to <span class='hostname'/>. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.">
 <!ENTITY certerror.sts.introPara "&brandShortName; detected a potential security threat and did not continue to <span class='hostname'/> because this website requires a secure connection.">

-<!ENTITY certerror.expiredCert.secondPara "This issue is most likely because your computer clock is set to the wrong time, which would prevent &brandShortName; from connecting securely.">
+<!ENTITY certerror.expiredCert.introPara "&brandShortName; detected an issue and did not continue to <span class='hostname'/>. The website is either misconfigured or your computer clock is set to the wrong time.">
+<!ENTITY certerror.expiredCert.secondPara2 "It’s likely the website’s certificate is expired, which prevents &brandShortName; from connecting securely. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.">
+<!ENTITY certerror.expiredCert.sts.secondPara "It’s likely the website’s certificate is expired, which prevents &brandShortName; from connecting securely.">

 <!ENTITY certerror.whatCanYouDoAboutItTitle "What can you do about it?">

@ -232,7 +234,7 @@ certificate.">

 <!ENTITY blockedByPolicy.title "Blocked Page">

-<!ENTITY clockSkewError.title "Your computer clock is wrong">
+<!ENTITY clockSkewError.title "Your Computer Clock is Wrong">
 <!ENTITY clockSkewError.longDesc "Your computer thinks it is <span id='wrongSystemTime_systemDate1'/>, which prevents &brandShortName; from connecting securely. To visit <span class='hostname'></span>, update your computer clock in your system settings to the current date, time, and time zone, and then refresh <span class='hostname'></span>.">

 <!ENTITY prefReset.longDesc "It looks like your network security settings might be causing this. Do you want the default settings to be restored?">
--- a/browser/themes/shared/aboutNetError-new.css
+++ b/browser/themes/shared/aboutNetError-new.css
@ -47,6 +47,10 @@ button:disabled {
  cursor: pointer;
 }

+#errorWhatToDoTitle {
+  margin-top: 2em;
+}
+
 #prefChangeContainer {
  display: none;
 }
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@ -287,18 +287,16 @@ certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because
 certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
 certErrorTrust_Untrusted=The certificate does not come from a trusted source.
 certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.
-# LOCALIZATION NOTE (certErrorTrust_Symantec): %S is replaced by the domain for which the certificate is valid
-certErrorTrust_Symantec=The security certificate for %S is not trustworthy because the issuing organization failed to follow security practices. Certificates issued by Symantec, including the Thawte, GeoTrust, and RapidSSL brands, are not considered safe.
+certErrorTrust_Symantec1=Certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign are no longer considered safe because these certificate authorities failed to follow security practices in the past.

 certErrorMismatch=The certificate is not valid for the name %S.
-# LOCALIZATION NOTE (certErrorMismatch2, certErrorMismatchSinglePrefix2, certErrorMismatchMultiple2): %1$S is replaced by the brand name, %2$S is replaced by host name.
-certErrorMismatch2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S.
+# LOCALIZATION NOTE (certErrorMismatch3, certErrorMismatchSinglePrefix3, certErrorMismatchMultiple3): %1$S is replaced by the brand name, %2$S is replaced by host name.
+certErrorMismatch3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S.
 # LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid
 certErrorMismatchSinglePrefix=The certificate is only valid for %S.
-# LOCALIZATION NOTE (certErrorMismatchSinglePrefix2): %3$S is replaced by the domain for which the certificate is valid
-certErrorMismatchSinglePrefix2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S.
+certErrorMismatchSinglePrefix3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S.
 certErrorMismatchMultiple=The certificate is only valid for the following names:
-certErrorMismatchMultiple2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S. The certificate is only valid for the following names:
+certErrorMismatchMultiple3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S. The certificate is only valid for the following names:

 # LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time)
 certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S.
@ -308,8 +306,8 @@ certErrorExpiredNow2=Websites prove their identity via certificates, which are v
 certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
 certErrorNotYetValidNow2=Websites prove their identity via certificates, which are valid for a set time period. The certificate for %S appears to be not yet valid.

-# LOCALIZATION NOTE (certErrorSymantecDistrustDescription): %S will be replaced by the domain for which the certificate is valid.
-certErrorSymantecDistrustDescription=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers will no longer trust Symantec, the certificate authority for %S.
+# LOCALIZATION NOTE (certErrorSymantecDistrustDescription1): %S will be replaced by the domain for which the certificate is valid.
+certErrorSymantecDistrustDescription1=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign. %S uses a certificate from one of these authorities and so the website’s identity cannot be proven.
 certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem.

 # LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code.