The default bug view has changed. See this FAQ.

scripts can create a window with no close box using close=no

VERIFIED FIXED in mozilla0.9.6

Status

()

Core
Security
VERIFIED FIXED
16 years ago
15 years ago

People

(Reporter: Mitchell Stoltz (not reading bugmail), Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
mozilla0.9.6
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

It's possible for a script to create a window with no close box. The window can
still be closed with a keyboard shortcut, but some users may not be aware of
this, in which case they're stuck with a window they can't close except by
killing the browser. This is not good.
(Assignee)

Comment 1

16 years ago
Created attachment 53356 [details] [diff] [review]
Patch - can't hide close box without privileges
(Assignee)

Comment 2

16 years ago
The problem with this patch is that it will probably cause close boxes to always
appear on JS alerts, confirms, and prompts. These currently have close boxes
under Windows, but not on other platforms and there's a bug to fix that (50521).
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.6

Updated

16 years ago
Summary: scripts can create a window with no close box → scripts can create a window with no close box using close=no

Comment 3

16 years ago
The Mac crowd will howl when this goes in, and bug 50521 was more a suggestion
than a bug. It's pretty common for Windows apps to have close boxes on their
alerts. I see a storm coming. But I see the need for this bug, too. r=danm.
(Assignee)

Comment 4

16 years ago
Actually, I tested this patch on Mac, and alerts still have no close boxes, even
though the security code in nsWindowWatcher::CalculateChromeFlags is now setting
the has-closebox flag to true. I'm not sure why; the security code is being
overridden somewhere in that case, but the result is exactly what we want, so I
say we go with it.
Comment on attachment 53356 [details] [diff] [review]
Patch - can't hide close box without privileges

sr=jst
Attachment #53356 - Flags: superreview+
Attachment #53356 - Flags: review+
(Assignee)

Comment 6

16 years ago
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 7

16 years ago
Verified on 2001-10-31-Trunk build on WinNT

A window is opened with a close box using above test case.
Status: RESOLVED → VERIFIED
(Assignee)

Updated

15 years ago
Group: security?
You need to log in before you can comment on or make changes to this bug.