Closed Bug 34539 Opened 25 years ago Closed 25 years ago

window.open: z-ordering and modal features need security checks

Categories

(Core :: XUL, defect, P3)

Product:
Core
Component:
XUL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: danm.moz, Assigned: danm.moz)

Details

(Whiteboard: [nsbeta2-])

Any JavaScript can open alwaysLowered, alwaysRaised, z-locked and modal windows. These need to be ignored for unsigned content JavaScript.
Status: NEW → ASSIGNED
Target Milestone: --- → M17
sounds like this could lend itself to DOS or spoofing, nominating for nsbeta2, cc'ing mstoltz.
Keywords: nsbeta2
I agree; these functions should be disallowed to untrusted scripts. danm, if you can fix this for beta2, great. Personally, I've been marking DoS and spoofing bugs post-Beta2 becuase we have more serious exploits to deal with in the short term.
[nsbeta2-]
Whiteboard: [nsbeta2-]
Mass-moving all nsbeta2- bugs to M20
Target Milestone: M17 → M20
joki nailed these while fixing similar security issues for bug 25117
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.