Extension Manager:Projects:Improve Add-on Installation: Difference between revisions

Feature	Status	ETA	Owner
Extension_Manager:Projects:Improve_Add-on_Installation	Finalizing plan for initial improvements in Firefox 7, beginning to scope out further research for future Firefox.	2011-05-19	Jennifer Boriss

Summary

The process of installing Firefox add-ons is currently fraught with user experience issues. The process involves differently-styled windows, unnecessary amounts of user interaction, and delays which users find confusing and annoying.

Our goal is to make the process of installing add-ons more efficient and smoother while (at the least) not effecting and (at the best) improving security.

While general improvements in efficiently and consistency are the goal, several specific issues fall under this category.

Priority 1:

• Not switching windows styles during installation, and removing all modal dialogs. Currently, the verified add-on information confirmation notification is modal, while the download notification window at the beginning of the process and confirmation/restart notification at the end of the process are in the arrow panel notification style.  All notifications should be moved into the arrow-panel notification style, with subtle animated resizes where needed.
  

• Reducing the timer wait time from 3 seconds to 1, and subtly fading the install button from disabled to active state rather than displaying a countdown
  

• Not giving the implication that AMO and AMO's reviewed code are untrusted, specifically by:
  

         1. Removing "author not verified" messaging for trusted authors

         2. Messaging reviewed add-ons differently to unreviewed add-ons and relaying the different meaningfully to users

Priority 2:

• Changing the installation flow order from download-then-ask-permission to ask-permission-then-download.  We currently download an add-on's .xpi file before the user is asked permission to install it.  While it's roughly understandable enough for users to navigate through, the order is backwards compared to the vast majority of similar installation flows. Installing a file before asking both flies in the face of user expectation, and gives the impression at first that we will be installing an add-on without asking permission at all. This may cause users to prematurely cancel an insatllation.  If we can ask the user's permission first - even with imperfect add-on data - and then download the file, we'll be following a very well expected and utilized model.
  

    Download-then-ask-permission (current model):
        
     Ask-permission-then-download (goal):
        

Team

Who's working on this?

• Feature Manager: Jennifer Boriss
• Lead Developer:
• Product Manager:
• QA: Henrik Skupin
• UX: Jennifer Boriss
• Security: Jesse Ruderman

Release Requirements

Several user experience improvements detailed in bug 646602.

Next Steps

Review security issues involved in changes, find developers with free cycles for implementation

Open Issues

- How can different trust levels of add-ons can be both determined and messaged to users appropriately?

Related Bugs & Dependencies

Likely:

• bug 416605 - Reduce security dialog delay from 2 seconds
• bug 643020 - Implement the new install UI in the content area
• bug 652896 - Allow AMO to show extension install dialog before downloading XPI

Possible:

• bug 646602 - Installing add-ons from AMO should not invoke the security prompt

Wontfix:

• bug 561177 - Remove countdown from add-on install dialog(wontfix - we're reducing, not removing, the delay)
• bug 588266 - Firefox add-on installation dialog should use doorhanger notification
• bug 616100 - Remove redundant install delay (undo fix for Bug 162020) [for non-AMO sites]

Security Discussion Notes

From 4.7.2011:

• possible changes to add-on dialogs and their impact
• goal improve add-on installation for users
  • lengthy steps seem in consistent to users, ex: countdown, and UI differences
  • perception on AMO that even AMO is not trusted even when add-on comes from Moz
  • implication is this should not be trusted even if linked to by trusted spaces.
• streamline process, make easier, less clicks, possibly reduce or remove countdown

Q: What are the risks entailed in installation and is AMO less risk than other sites?

• Should be clear that AMO is a website that is part of the app, but what if AMO is hacked? Does this neccessarily help?
• If you go to AMO as a website then this is a preferred experience, like the bits in FX
  • Desire: AMO having a different status
  • Dialoge is needed as click-jacking is still prevalent/possible on AMO
  • A site cannot frame the add-on tab, where as getting a click attack on AMO is somewhat trivial

• Need clear dialog for AMO sandbox

mockup: https://people.mozilla.com/%7Ejboriss/dump/flow_chart_for_addon_download2.pdf

suggestions:

• We could lower the delay from 2 noisy seconds to 1 quiet second (added to goals above)
  
• We could show the user-intent-verification first, before the download finishes. Then there aren't 2 separate "waiting" steps as long as the download is fast (added to goals above)
   
  • this would require AMO to supply the stuff that's supposed to appear in the dialog, as part of the installtrigger call, but it would make the UI much better.
• We could make it so any link to addons.mozilla.org opens in a new tab, and use browser-side defenses against clickjacking on that tab (not a current goal)
  
• We could deny InstallTrigger if clicked within 1 second of selecting the tab/window, to make clickjacking AMO harder
• Rather than author information, which is never verified, could show AMO status
  • (not on AMO; sandboxed; full review; old version)
  • popularity
  • average review score

Unresolved Questions:

• AMO warnings (slows down firefox? has privacy policy?)

From 5.25.2011:

Add-On Features Items to be Reviewed:

Add-on Installation

Improve Add-on Installation: https://wiki.mozilla.org/Extension_Manager:Projects:Improve_Add-on_Installation Pri1:

• move from modal to arrow panel
• timer change

- how is multiple at one being handled?

• the dialogs will stack until a certain number then scoll (not z-index)
  • error handling still needs some work
• Author not verified messaging changing for Add-ons from A.M.O
  • Need verificaiton that reviews have been done to a level that supports this security statement
  • too much reliance on automated scan for this check, more in depth analysis is needed
  • Concept is good

Pri2:

• download before install and ask -or- ask then download
  • old: ask then download, changed in FX4 to download then ask for several reasons (ie. compatiblity)
• ask then download is the prefeered method from a security prespective

Issues:

• possible API changes to support messaging for reviewed, "good" add-ons

Followups:

• need a set of heuristics for making decisions on how the add-on experience flows
• review error handling when complete

Third Party

Ensure user accepts add-ons installed by third-party apps: https://wiki.mozilla.org/Extension_Manager:Projects:Third_Party_Add-on_Warnings

• if install w/o restart, tab closes
• old style: continue changes to "you have to restart"
• can also be enabled form add-ons manager

Designs

Ask permission, then download installation (ideal order)

The diagram below shows how the add-on installation would feel if we were able to ask the user's permission, with whatever add-on information was available, before downloading the .xpi file. This is far more consistent with user's expectations of giving permission before the action that they gave permission for. Obviously the information we have at the beginning of a download may be imperfect, but we should show the best information we have available and only throw a flag if there is a problem. At least on AMO, the information we display should be correct.

Download, then ask permission second installation (current but not ideal order)

This is the order of our current add-on download installation. While it's roughly understandable enough for users to navigate through, the order is backwards compared to the vast majority of similar installation flows. Installing a file before asking both flies in the face of user expectation, and gives the impression at first that we will be installing an add-on without asking permission at all. This may cause users to prematurely cancel an instllation.

(also see bug 646602)

Use Cases

• Installing human-reviewed add-ons from AMO
• Installing automated security review sandbox add-ons from AMO
• Installing add-ons not from AMO (default buyer beware)
• (possibly) Installing trusted add-ons not on AMO (e.g. AdblockPlus)

Test Plans

None so far.

Goals

Make add-on installation a more efficient, more consistent, and more secure experience

Non-Goals