Where to find the issue

On the landing page for both German and English versions

Describe the issue

Many people are very critical with regards to data protection and privacy. I know that you guys have been doing a tremendous job in this regard (thanks!), and it would thus be great if the app is used widely. Technology is only one aspect though. We should also make sure that people with concerns can understand why this app is no threat to their privacy.

The homepage is giving an explanation of this in the "How does the app work" section. However it is in my opinion too hard to understand for anyone who does not have a technology background. It mentions frameworks, identifiers, cryptographical keys, backend, and so on. I would assume that a majority of people would not be able to understand this, maybe leading to a reduced acceptance.

Suggested change

Provide a "How does the app work" version in simplified English and German (could be text or even video). It should be explained in such a way that it can be understood by the "average citizen" (i.e. without technology background or university degree).
There could still be a more detailed, technology-oriented explanation on a second level for those people who want to dive deeper of course.

SAP has tons of UA experts that are surely happy to support.

Like seen in issue corona-warn-app/cwa-app-ios#638, installation can turn out to be difficult.

Suggested Enhancement

It might be helpful for people / useful to have in the FAQ:

• how updating smartphone devices in general works ( with links to tutorials). -- Some people might have to upgrade to iOS 13.5.1 before installation and might not know, how this works.
• install instructions/workarounds for different devices (steps)

Expected Benefits

Knowledge about updating the operating system and how to install on the specific device enables more people to use the app.

Internal Tracking ID: EXPOSUREAPP-12774

There are a good number of error/crash reports out there. Many are certainly not surprising because they happen due to outdated software versions etc.

It would be great if in addition to abstract error codes: "cause 3" there was a troubleshooting article on the website that explains why this particular error may have happened and how it could be circumvented.

This could include general steps: check your phone runs Android 6+ (link to how to do so) and more specific issues if known to cause this error.

Now that a good number of errors have been reported it's a good time to start this and get it out while lots of people are still installing and having exactly these issues.

We want the app to be accessible to even the least tech savvy quintiles right?

In the above mentioned files a few closing parentheses are missing, which cause "gulp build" to fail.

[christopher@ArchDesktop cwa-website]$ gulp build
[11:41:39] Using gulpfile ~/Schreibtisch/cwa-website/gulpfile.js
[11:41:39] Starting 'build'...
[11:41:39] Starting 'pages'...
[11:41:39] Starting 'javascript'...
[11:41:39] Starting 'images'...
[11:41:39] Starting 'copy'...
[11:41:40] 'pages' errored after 89 ms
[11:41:40] SyntaxError: /home/christopher/Schreibtisch/cwa-website/src/data/faq_de.json: Unexpected token 
 in JSON at position 21610
    at parse (<anonymous>)
    at Object.Module._extensions..json (internal/modules/cjs/loader.js:1234:22)
    at Module.load (internal/modules/cjs/loader.js:1049:32)
    at Function.Module._load (internal/modules/cjs/loader.js:937:14)
    at Module.require (internal/modules/cjs/loader.js:1089:19)
    at require (internal/modules/cjs/helpers.js:73:18)
    at Panini.module.exports [as loadData] (/home/christopher/Schreibtisch/cwa-website/node_modules/panini/lib/loadData.js:21:14)
    at Panini.module.exports [as refresh] (/home/christopher/Schreibtisch/cwa-website/node_modules/panini/lib/refresh.js:10:8)
    at module.exports (/home/christopher/Schreibtisch/cwa-website/node_modules/panini/index.js:41:12)
    at pages (/home/christopher/Schreibtisch/cwa-website/gulpfile.js:60:7)
[11:41:40] 'build' errored after 91 ms
[11:41:40] The following tasks did not complete: javascript, images, copy
[11:41:40] Did you forget to signal async completion?
[christopher@ArchDesktop cwa-website]$ 

Where to find the issue

1. Decorative images in the section Wie funktioniert die App? or How does the app work? on the main page
2. GitHub Icon in the header and the footer
3. Card images for news articles on /news

Describe the issue

1. The decorative images on the main page have no alternative text.
2. The GitHub icon functions as a link but lacks an alternative text to describe its destination
3. The images, used in the news cards have no alternative text.

Suggested change

1. Add an empty alternative text alt="" to declare the image as purely decorative, as recommended by the WCAG.
2. Add an alternative text, describing the GitHub repository as the links destination, for example alt="GitHub Repository"
3. Add an alternative text to the <img/> tag. Depending on, whether these images are deemed purely decorative or functional, the alt text has to be empty alt="" or a description of the iamge content.

Your Question

• Repository: package.json
  In the package.json the author is Zurb Foundation, but i think it should probably be SAP?

"author": "ZURB <[email protected]>",

Feature description

Add an actual counter for the number of installed apps to the website.

Problem and motivation

A lot of people are probably interested in this number, because it also gives an indication of how much of a difference the app can possibly make.
I know this can be roughly seen in the play store but the granularity decreases with increasing installs (next value above 10M is 50M). I think this info is not public in the AppStore at all.

It would probably motivate people to install the app if they see how many others have already installed it as well and could be shared on social media to motivate others.

Is this something you're interested in working on

This can only be done by people with access to the publisher accounts in the AppStores

Where to find the issue

https://www.coronawarn.app/en/ in the footer

Describe the issue

When opening the website on a mobile device, the telephone number is not fully displayed.

Here tested on an iPhone 11 Pro Max

Suggested change

The placement of the telephone number should adapt to smaller screen sizes.

To create a significant reduce of loading time, bandwidth, render time we can generate WebP Images out of PNG/JPEG on the Build Process.

To support Browser without WebP support (Safari) we can still add PNG/JPEG as Fallback.

This is only a very minor CSS bug that is easy to fix. In fact I already have a fix prepared that I can open a PR for.

Where to find the issue

See bottom border of each closed FAQ item on https://www.coronawarn.app/de/faq/.
It seems to happen in every browser.

Describe the issue

See screenshot above: the bottom border in the inactive state of each item is not styled correctly.

Suggested change

Changing two lines of CSS. I can create a PR for a fix of this issue. 🙂

Where to find the issue

Describe the issue

Suggested change

For better performance enable http2.

Introduction to HTTP/2

https://developers.google.com/web/fundamentals/performance/http2

Here, you are encouraging pull request:

here corona-warn-app/cwa-app-ios#732 (merged) and here corona-warn-app/cwa-app-android#675 (open) @tkowark changes the contribution guidelines to
Pull Requests that are not linked to an issue with you as an assignee will be closed.

Please try to be consistent. If in doubt, you could ask people to read the CONTRIBUTING.md of the specific sub-project.

I analyzed the Website with Ryte and Lighthouse from Google and here some recommended changes on the Hosting Setup:

404 Sites:
Currently non-existing sites return a 403 error code instead of the correct one (404)

Compression:
The Server is currently not compressing Text-based resources (gzip, deflate or brotli). This reduces the loading-time espacially for mobile user.

Internal Tracking ID: EXPOSUREAPP-8525

To make sure features / hotfixes are didn't break anything I would recommend to implement a simple end-to-end testing system.

For this I would recommend Cypress, which is very straight forward ans easy manageable with npm.

This will also improve the ability to detect bugs faster.

The default test command will run End-To-End tests in a headless electron browser.

As an alternativ tests can also run with chrome or firefox.

I will submit a Pull-Request with the framework and a first test in the next minutes

Where to find the issue

cwa-website/src/root-assets/robots.txt

Describe the issue

It is not necessary to declare the /sitemap.htm again if the root directory is already within the allowed path.

Suggested change

@@ -1,4 +1,3 @@
User-agent: *
Allow: /
-Allow: /sitemap.htm
Sitemap: https://coronawarn.app/sitemap.xml

Where to find the issue

https://www.coronawarn.app/sitemap.xml

Describe the issue

The sitemap provided seems to include an older version with another URL structure (w/o www. sub) as well.

Suggested change

Update the https://www.coronawarn.app/sitemap.xml with a newer version.

Push the yarn.lock file to the repo leading to faster install times and better version control of the installed packages with yarn.

Right now there's only "Bug", "Question" and "Anything else" available as labels for website issues.

I had enhancement/feature requests but couldn't label them appropriately.

Please add these two labels as they exist on the app repos.

Describe the issue

Currently, source maps are only written in development (using gulp-if and !PRODUCTION as condition). This makes it harder to inspect the code of the live site in the browser's DevTools and as far as I see doesn't really have any advantages, the code is open source anyway.

Suggested change

Shipping source maps makes it easier to inspect and debug code on the live site and also is nice for beginners who might want to take a look at the website's code to discover how something was implemented. :)
So I suggest removing the guarding calls to $.if() that currently wrap $.sourcemaps.write() as well as the condition for the devtool webpack config.

I'd be happy to submit a PR if you agree. :)

Internal Tracking ID: EXPOSUREAPP-12958

What technology or framework are you using?

I've taken a look at the code but i couldn't find out whether the website is built using some framework like Hugo, Vue or just plain HTML and JavaScript?
I want to know this in order to learn the framework/technology to be able to contribute.

There are several privacy-related FAQ on the website, such as "Können die übermittelten Informationen zu mir und meinen früheren Aktivitäten zurückverfolgt werden?". Unfortunately, the answer to this particular question is not complete, in my honest opinion.

Since there is empirical evidence in real-world scenarios, that the GAP Exposure Notification API itself is a source of risk, I would expect, to be fully transparent, a hint in the FAQ, that the current GAP design is in fact vulnerable to profiling and possibly de-anonymizing infected persons.

Is text compression enable?

• Website URL Path: https://www.coronawarn.app/
• Description:
  Maybe the website can you gzip, Brotli or deflat

https://web.dev/uses-text-compression

Internal Tracking ID: EXPOSUREAPP-8525

See #80 (comment). I guess at some point this was the case since rimfaf is already included in the project.

We want many millions of people in Germany to install the app, right? To achieve this the landing page needs a much easier-to-understand language.

One example:
When looking at the german version of the website, one of the first senteces that the user reads is: "Das Exposure Notification Framework (von Apple und Google) auf einem mobilen Gerät sendet einen Rolling Proximity Identifier und sucht gleichzeitig regelmäßig mithilfe der Technologie Bluetooth Low Energy nach IDs anderer Smartphones und speichert die IDs lokal."

How many percent of people in Germany are able to understand this?

Don't forget that the challenge is not to develop this app, but rather to bring it onto the smartphones of about 50 million people in germany. So the marketing team should be larger than the development team.

Is there any strategy for that already in place?

in addition to #16

Where to find the issue

Blue text elements throughout the page

<h5> and <span class="enumeration"> on
https://www.coronawarn.app/

<a> on
https://www.coronawarn.app/de/
https://www.coronawarn.app/en/
https://www.coronawarn.app/de/#privacy
https://www.coronawarn.app/en/#privacy
https://www.coronawarn.app/de/community
https://www.coronawarn.app/en/community
https://www.coronawarn.app/de/imprint/

Describe the issue

The given elements have the text color #1294d4, which has a contrast ratio of only 3.38:1 to the #ffffff background. Since this falls under the category small text it should have at least 4.5:1 to meet the WCAG AA Recommendations

Additionally, in the section <section id="privacy"> the link color #1294d4 is paired with the background color #edf2f7, resulting in an even lower contrast ratio of 3:1. Again, since this is small text, a ratio of at least 4.5:1 is desirable to meet WCAG AA.

Suggested change

Adapt the color scheme to meet WCAG AA contrast ratios or - if possible - WCAG AAA contrast ratios. The WCAG specifications can be read here.

Where to find the issue

https://www.coronawarn.app/en/

Describe the issue

Two of the images used on the website aren't optimized regarding their (file) size.

Suggested change

The images used on the website should get optimized.

Deeplinks were added yesterday to the FAQs as requested in #71

Unfortunately, when one clicks on a deeplink, it doesn't unfold the answer, which is disorienting to a reader who expects to see the answer and not have to find the correct question and click on the answer manually. This is clearly unexpected behaviour, thus a bug.

Where to find the issue

Homepage DE/EN

• Buttonlinks in general
• Bleib auf dem Laufenden! / Stay up to date! - Carousel Buttons an Slick-Dots

Describe the issue

• There is no visible indicator showing an active or focus state on textlinks
• There is no visible difference on hover/active/focus states on slick carousel arrow-buttons
• Slick-Dots are accessible via keyboard, but there also no indication of focus

Suggested change

Textlinks should have at least a focus style for accessibility
Slick-Arrow-Button-Styling should be extended by other Button-styles and have at least a focus state for accessibility
Add Slick-Dots focus state for keyboarduser

Where to find the issue

The issue can be found in the header and footer on every site.

Describe the issue

The contrast ratio of foreground/background color is too low (1.77:1). This makes it hard for some people with visual impairment to read the text. According to WCAG 2.1, it should be at least 4.5:1 for normal text and 3:1 for large text.

See: https://webaim.org/resources/contrastchecker/?fcolor=FFFFFF&bcolor=80CDEC

The actual contrast ratio is hard to determine since there's a color gradient. The ratio of white text on red background would be fine (6.27:1), but almost all of the content area is in brighter colors.

Suggested change

Either background gradient or text should be in darker colors. Maybe it would be possible to use text shadow or a solid background color for some parts of the header/footer, e.g. main navigation.

Where to find the issue

Request via Browser
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf
(from https://www.coronawarn.app/de/ )

Describe the issue

Brave-Browser is configured more strict to respect the CSP Rules.

Suggested change

Fix the Response Header CSP Rule to allow safe inline-styles

If someone wants to read all the FAQs, they currently have to click on every single question to see the answer. It would be good if there was a button to "expand all".

The FAQs https://www.coronawarn.app/en/faq/ are a great resource.

There is a lot of information. Unfortunately, it's not possible to deeplink to particular questions at the moment, since the divs don't have any unique ids.

So please add ids.

In addition, ideally at the bottom right for every question a copiable link, so that the answer can be shared when answering questions on Social Media or in Whatsapp groups.

Where to find the issue

https://www.coronawarn.app/en/

Describe the issue

When analyzing the network requests, a 403 on the request https://www.coronawarn.app/assets/img/icons/ comes up:

Suggested change

Could be related to the entry /cwa-website/src/data/global.json on line 3, but not sure so far how this actually works.

I've noticed that in the German version most occurrences of "Du" are capitalized, but in some places I found lower case notation ("du") too.

The notation should certainly be harmonised. But the question arises: In which direction?

Duden (https://www.duden.de/sprachwissen/sprachratgeber/Gross-oder-Kleinschreibung-von-duDu-und-ihrIhr) says that nowadays the lower case notation is correct (only in letters, SMS and emails upper case is still tolerated).

From my point of view the upper case version looks pretty old-fashioned in this context. Therefore I'd recommend to write all occurrences of "Du", "Dein", "Dich", "Dir" etc. consequently in lower case - according to Duden's rules.

I can send a related PR, but first I'd like to ask if it would be okay to make the adjustment in this direction(?)

Disclaimer: I am not sure if the website issues for https://www.coronawarn.app should be post here. So please feel free to forward this to whom is responsible for)

Though the website claims to be privacy-friendly, there are still these issues:

• Unsafe TLS Encryption Configuration
  TLS 1.3 is not enabled, TLS 1.0 is still active (!)
  Please check Ciphers aswell.
• CSP (Content Security Policy) is missing
• "no-referrer" tag is missing. Referers are told to 3rd parties.
• Several X-Headers (X-Content-Type, X-Frame, X-XSS-Protection) are missing

Please use common test suites to check website for security and privacy:

• https://observatory.mozilla.org/
• https://webbkoll.dataskydd.net/de
• https://www.ssllabs.com/ssltest/

Where to find the issue

Disable you browser-cache, then go to

https://www.corona-warn-app.de

Describe the issue

The website seems to be under a lot of load right now. When I request it, most of the time,

This page isn’t working
www.corona-warn-app.de took too long to respond.

HTTP ERROR 504

The site beyond the redirect works fine...

Suggested change

Maybe the redirecting servers have to be scaled up.

"COVID-19 Auslöser" should be "COVID-19-Auslöser" as it's one word and therefore needs to be connected with a hyphen.

Where to find the issue

No information in FAQ about running app in background is needed

Describe the issue

In the FAQ is no information about if the app must be started and run in background to work or the exchange of the keys is managed by operation system and the app do the analysis of "infected" keys only. (maybe the wrong wording "infected" sorry)

Suggested change

Add information to FAQ or better display the information in the app directly

In your FAQs you state:

Android: The app will run on phones with Android 6 ('Marshmallow') or higher. The Exposure Notification API has been installed on these phones automatically via the Google Play services. (https://www.coronawarn.app/en/faq/)

Unfortunately, there seem to be exceptions to this rule, not mentioned in the FAQ - the FAQs read as if any phone with Android 6+ and Play services up to date works.
E.g. Xiaomi, Redmi, Huawei, see issues corona-warn-app/cwa-app-android#495 corona-warn-app/cwa-app-android#490 corona-warn-app/cwa-app-android#487

The fact that these devices won't work isn't clear from your documentation, so it's a bug. Please add it to the FAQs and the Play Store App Compatibility List as excluded devices: https://support.google.com/googleplay/android-developer/answer/7353455?hl=en

If Google has a list of devices that are compatible/incompatible, it would be worth linking to. Rather than just saying contact Google/Apple. You know they won't be of any help.

I remember that a week ago someone asked you for a Green List of devices. You said you didn't want to make one. I asked for a public beta test to figure these issues out before release and be prepared with messaging. You didn't want to beta test. Well, now we have the salad.

Internal Tracking ID: EXPOSUREAPP-2957

I was a bit disappointed, when I saw that @SebastianWolf-SAP commited a change to add a new feature that was requested as an issue. However, I already created a PR to address this issue (with a more generic and scalable solution) a few hours before his change. Ultimately, the change created a merge conflict for my PR.

So, please comment on issues / feature requests, when you put it in your backlog for you to implement / fix by yourself. That way, contributors will not work on stuff you already work on. On the other hand, please review PRs first, before you start implementing stuff, which may have been already implemented by contributors.

Thanks for helping us helping you.

Add a Favicon as SVG would be better because only one line is needed to tell the browser where it is located and it will look good in any size.

1. Roboto is a duplicate entry in the list (quotations make no difference if font family doesnt contain any spaces)
2. the generic font family sans-serif in the middle of the list makes it impossible for the following entries ever being used

Where to find the issue

Open the website under https://www.coronawarn.app/de/ or https://www.coronawarn.app/en/

Describe the issue

The buttons for iOS and Google are on the bottom and should be, as with https://www.bundesregierung.de/breg-de/themen/corona-warn-app/corona-warn-app-englisch, at least in the top region.

Suggested change

The links should be moved to the top or at least added there in addition.

I don’t know who is responsible for the texts on
The website. The point 01 is pretty complicated for most of the people. Where can be submitted a suggestion for optimization? Best Jan

![9C915304-7F4A-4C03-9726-300AF1FFC52D](https://user-images.githubusercontent.com/8312244/85177706-ea036000-b27c-11ea-99bd-088158089e98.jpeg

As noted by @Julian-B90 in this comment the page we get a 403 for the file

https://www.coronawarn.app/assets/css/ajax-loader.gif

The URL used in the iOS applications:
https://corona-warn-app.de/
Shows a certificate error due to untrusted root CA on MacOS/Chrome and iOS/Safari

.

Where to find the issue

Footer of home page
https://photos.app.goo.gl/i6USG8N9QzhYTSw79

Describe the issue

Phone numbers don't wrap and are therefore cut off on mobile screens.

Homepage: https://www.bundesregierung.de/breg-de/themen/corona-warn-app/corona-warn-app-englisch

I am sure this issue is wrongly placed here - on the other hand I hope this is the short way; I just tried for an hour to figure out who is responsible for the homepage, but as so often in Germany, no one seems to be responsible.

Where to find the issue

https://www.bundesregierung.de/breg-de/themen/corona-warn-app/corona-warn-app-englisch

Describe the issue

There are social network icons wrongly placed on the homepage which do ! send referrer information to its owners, here twitter, facebook, instagram and youtube, also they definitely transfer the visitors IP on the social networks servers, ready for analysis..

It shouldn't be news that this wasn't nor isn't allowed under BDSG nor GDPR and its predecessors.

These social buttons have to be explicit turned on by a user and the user must explictly accept this before the buttons are activated.

I think, in times were we discuss months about data security regarding our Corona Warn App, such a (minor) flaw shouldn't happen. Nor should it start a new discussion like 'if they do not protect data here, how should this be the case for the app... Alu heads even might find this good for a new 'the theory'...

At least, it seems as if the icons are not downloaded directly from facebook & co, but still, the information given about the "consequences" by clicking them is in this form not right.

Suggested change

2014, 6 years ago, heise.de started a project c't shariff that handles this issue (btw. that was two years before GDPR ;).

I suggest to implement the current version of this project or similar projects, of which you can easily find several.