Closed Bug 104495 Opened 18 years ago Closed 18 years ago

scripts can create a window with no close box using close=no

Categories

(Core :: Security, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla0.9.6

People

(Reporter: security-bugs, Assigned: security-bugs)

References

()

Details

Attachments

(1 file)

It's possible for a script to create a window with no close box. The window can
still be closed with a keyboard shortcut, but some users may not be aware of
this, in which case they're stuck with a window they can't close except by
killing the browser. This is not good.
The problem with this patch is that it will probably cause close boxes to always
appear on JS alerts, confirms, and prompts. These currently have close boxes
under Windows, but not on other platforms and there's a bug to fix that (50521).
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.6
Summary: scripts can create a window with no close box → scripts can create a window with no close box using close=no
The Mac crowd will howl when this goes in, and bug 50521 was more a suggestion
than a bug. It's pretty common for Windows apps to have close boxes on their
alerts. I see a storm coming. But I see the need for this bug, too. r=danm.
Actually, I tested this patch on Mac, and alerts still have no close boxes, even
though the security code in nsWindowWatcher::CalculateChromeFlags is now setting
the has-closebox flag to true. I'm not sure why; the security code is being
overridden somewhere in that case, but the result is exactly what we want, so I
say we go with it.
Comment on attachment 53356 [details] [diff] [review]
Patch - can't hide close box without privileges

sr=jst
Attachment #53356 - Flags: superreview+
Attachment #53356 - Flags: review+
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Verified on 2001-10-31-Trunk build on WinNT

A window is opened with a close box using above test case.
Status: RESOLVED → VERIFIED
Group: security?
You need to log in before you can comment on or make changes to this bug.