Closed
Bug 348373
Opened 18 years ago
Closed 18 years ago
Location bar should be visible by default in script-initiated windows
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 337344
People
(Reporter: bugzilla, Unassigned)
References
()
Details
Attachments
(1 file)
968 bytes,
text/html
|
Details |
It is somewhat contradictory that Gecko-based browsers make the effort of identifying https address (with a yellow-brownish background-color in location bar) and implement anti-phishing measures and that, on the other hand, it still allows by default secondary window (via window-open()-script initiated) to have missing/removed location bar. "We think the address bar is also important for users to see in pop-up windows. A missing address bar creates a chance for a fraudster to forge an address of their own. To help thwart that, IE7 will show the address bar on all internet windows to help users see where they are." coming from IE7 Blog, November 2005, Better Website Identification http://blogs.msdn.com/ie/archive/2005/11/21.aspx I can upload a screenshot of the MSIE 7 (beta 3: build date is June 29th 2006) security setting: by default, MSIE 7 (beta 2 and beta 3) address bar default setting is visible. In MSIE 7 beta 2 and beta 3: Tools/Internet Options/Security tab/Internet Zone/Custom Level... button/Miscellaneous section/Allow webpages to open windows without address and status bars/"Disabled" radio button is checked by default "hiding the location bar is a security problem, as it facilitates URL phishing." coming from bug 241571 comment #0 Actual results: a) Tools/Options.../Content tab/Advanced... button (javascript options: allow scripts to:) does not even list "Hide Location bar" in Firefox 2.0b1 rv:1.8.1b1 build 20060810 BonEcho b) Edit/Preferences.../Advanced category/Scripts & Plugins/Allow scripts to: Hide the location bar in Seamonkey 1.5a rv: 1.9a1 build 2006080910 under XP Pro SP2 Expected results: a) Tools/Options.../Content tab/Advanced... button (javascript options: allow scripts to:) "Hide Location bar" with its checkbox is unchecked (by default) in Firefox 2.x b) Edit/Preferences.../Advanced category/Scripts & Plugins/Allow scripts to: Hide the location bar with its checkbox unchecked (by default) in Seamonkey 1.x Notes: ====== 1- Compatibility with IE 7 ... just like with status bar visibility. 2- I was not sure if this could be considered as a security issue; I'll let you guys decide to confirm or not this bug. 3- Somewhat related to this bug are: bug 107949 bug 241571 bug 75158
Reporter | ||
Comment 1•18 years ago
|
||
Load testcase, then click the "Go to bug 75158" link. The created popup/secondary window will not have a location/url bar. In about:config, the preference name dom.disable_window_open_feature.location should be set (status) to default.
Comment 2•18 years ago
|
||
The hostname was added to the title of windows without location bars to address this kind of spoofing (bug 304388). To the extent that's not sufficient bug 337344 covers this request. *** This bug has been marked as a duplicate of 337344 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•