It's possible for a script to create a window with no close box. The window can still be closed with a keyboard shortcut, but some users may not be aware of this, in which case they're stuck with a window they can't close except by killing the browser. This is not good.
The problem with this patch is that it will probably cause close boxes to always appear on JS alerts, confirms, and prompts. These currently have close boxes under Windows, but not on other platforms and there's a bug to fix that (50521).
The Mac crowd will howl when this goes in, and bug 50521 was more a suggestion than a bug. It's pretty common for Windows apps to have close boxes on their alerts. I see a storm coming. But I see the need for this bug, too. r=danm.
Actually, I tested this patch on Mac, and alerts still have no close boxes, even though the security code in nsWindowWatcher::CalculateChromeFlags is now setting the has-closebox flag to true. I'm not sure why; the security code is being overridden somewhere in that case, but the result is exactly what we want, so I say we go with it.
Comment on attachment 53356 [details] [diff] [review] Patch - can't hide close box without privileges sr=jst
Fix checked in.
Verified on 2001-10-31-Trunk build on WinNT A window is opened with a close box using above test case.