Website elements shown over scrollbar!

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: L.I.A.R., Unassigned)

Tracking

41 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8677409 [details]
bug_ff.png

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151015172656

Steps to reproduce:

I opened page: http://crypt-sdk.blogspot.fr/2011/11/how-to-set-proxy-settings-in-vlc-http.html
With a few addons enabled (Ghostery, PrivacyBager,etc. but must probably the problem here is related to NoScript)


Actual results:

Some of the elements (floating menus) of the website are displayed on top of FF's GUI elements (here, the scrollbar)


Expected results:

No website element should be displayed outside the internal frame!!!! And that should be the case whatever plugin is installed!!!
This is a security issue as:
1. This can be used to deny access to (or, worse, to hijack) some of FF's features
2. it means the website has control over elements it shouldn't be aware of!
This is the website layering content over its own things. That is perfectly possible, works the same in other browsers, and has been possible for a long time (maybe always, I don't remember if the "position: fixed" that the website is using is necessary; it may not be). The scrollbar is not really a "browser feature" - the page puts it there by setting overflow-y on the box.

Here's a minimal-ish JSBin testcase that behaves the same way in Firefox and Chrome and which shows this behaviour:

http://jsbin.com/dunotofaho/edit?html,css,output

Here's the same testcase but with no scrollbar at all:

http://jsbin.com/masukepaji/1/edit?html,css,output

In conclusion, webpages can mess with their own layout (including overlaying/hiding scrollbars) pretty much however they like.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.