1217379 - Website elements shown over scrollbar!

Status: RESOLVED INVALID

(Firefox :: Untriaged, defect)

Description

[L.I.A.R.]

Attachment: bug_ff.png

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151015172656

Steps to reproduce:

I opened page: http://crypt-sdk.blogspot.fr/2011/11/how-to-set-proxy-settings-in-vlc-http.html
With a few addons enabled (Ghostery, PrivacyBager,etc. but must probably the problem here is related to NoScript)


Actual results:

Some of the elements (floating menus) of the website are displayed on top of FF's GUI elements (here, the scrollbar)


Expected results:

No website element should be displayed outside the internal frame!!!! And that should be the case whatever plugin is installed!!!
This is a security issue as:
1. This can be used to deny access to (or, worse, to hijack) some of FF's features
2. it means the website has control over elements it shouldn't be aware of!

Comment 1

[:Gijs (he/him)]

This is the website layering content over its own things. That is perfectly possible, works the same in other browsers, and has been possible for a long time (maybe always, I don't remember if the "position: fixed" that the website is using is necessary; it may not be). The scrollbar is not really a "browser feature" - the page puts it there by setting overflow-y on the box.

Here's a minimal-ish JSBin testcase that behaves the same way in Firefox and Chrome and which shows this behaviour:

http://jsbin.com/dunotofaho/edit?html,css,output

Here's the same testcase but with no scrollbar at all:

http://jsbin.com/masukepaji/1/edit?html,css,output

In conclusion, webpages can mess with their own layout (including overlaying/hiding scrollbars) pretty much however they like.