Closed Bug 180747 Opened 20 years ago Closed 10 years ago

Untrusted content shouldn't be able to resize to smaller that 10/100 pixels, or larger that screen. Is this always so?


(Core :: XUL, defect)

Not set





(Reporter: bsharma, Assigned: jrgmorrison)


(Depends on 2 open bugs, )


(Whiteboard: [sg:investigation])

This bug is reported as the issue in the module review and jrgm asked me to make
a bug out of it.

jrgm will provide the test case.
the current minimums are ~100px, but they aren't content dimensions, they're
total window size. i think that's a dom0 thing so we probably can't change the
meaning of the params.
I think I don't understand. What's "smaller that 10/100"?

Untrusted script at this time is not allowed to size a window smaller than 100
pixels in either dimension. But there is no upper limit.
timeless: this a routine task for me to perform. It's not a freaking 
mystery that requires that you disturb other people.
There is an upper limit somewhere, no matter what size I pick my windows max out
at full screen. Actually the height value (on windows anyway) doesn't seem to
take the title bar into account so it ends up slightly taller than the window.
and I don't think it take the height of the task bar into account either so in
the non-autohide case you hide that much more.

You can't position it off the screen either, although again on windows it can go
further off the bottom a little (unlike the top or sides) by the height of the
titlebar plus get partially covered by the window task bar. With a minimum
height of 100 this still leaves plenty on the screen to grab.
Whiteboard: [sg:investigation]
John says XUL uses the same checks on window size as HTML, for size and

We should check moveTo, resizeTo, setting window properties like innerWidth
directly, and parameters to XUL and HTML should behave the same in
all of these cases.
Target Milestone: --- → mozilla1.4beta
Depends on: 104303, 304089
Depends on: 195854
Depends on: 304124
Depends on: 304184
OS: Windows 2000 → All
Hardware: PC → All
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: shrir → xptoolkit.widgets
Group: core-security
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.