104495 - scripts can create a window with no close box using close=no

Status: VERIFIED FIXED

(Core :: Security, defect)

Description

[Mitchell Stoltz (not reading bugmail)]

It's possible for a script to create a window with no close box. The window can
still be closed with a keyboard shortcut, but some users may not be aware of
this, in which case they're stuck with a window they can't close except by
killing the browser. This is not good.

Comment 1

[Mitchell Stoltz (not reading bugmail)]

Attachment: Patch - can't hide close box without privileges

Comment 2

[Mitchell Stoltz (not reading bugmail)]

The problem with this patch is that it will probably cause close boxes to always
appear on JS alerts, confirms, and prompts. These currently have close boxes
under Windows, but not on other platforms and there's a bug to fix that (50521).

Comment 3

[Dan M]

The Mac crowd will howl when this goes in, and bug 50521 was more a suggestion
than a bug. It's pretty common for Windows apps to have close boxes on their
alerts. I see a storm coming. But I see the need for this bug, too. r=danm.

Comment 4

[Mitchell Stoltz (not reading bugmail)]

Actually, I tested this patch on Mac, and alerts still have no close boxes, even
though the security code in nsWindowWatcher::CalculateChromeFlags is now setting
the has-closebox flag to true. I'm not sure why; the security code is being
overridden somewhere in that case, but the result is exactly what we want, so I
say we go with it.

Comment 5

[Johnny Stenback (:jst)]

Comment on attachment 53356 [details] [diff] [review]
Patch - can't hide close box without privileges

sr=jst

Comment 6

[Mitchell Stoltz (not reading bugmail)]

Fix checked in.

Comment 7

[bsharma]

Verified on 2001-10-31-Trunk build on WinNT

A window is opened with a close box using above test case.