The default bug view has changed. See this FAQ.

Feedback is required when "cross site link open to frame" is denied by docshell.frameloadcheck.disabled=false

RESOLVED WORKSFORME

Status

()

Firefox
General
--
enhancement
RESOLVED WORKSFORME
13 years ago
4 years ago

People

(Reporter: World, Unassigned)

Tracking

(Depends on: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040630
Build Identifier: Firefox 0.9.1 Release Build (Win-2K)

Feedback is required when "cross site link open to frame" is denied by
docshell.frameloadcheck.disabled=false.
I think "no feedback about denial" will probably produce tons of bugs such as
Bug 247070 in near future, although information on the new feature is written in
Known Issues section of Release Notes.

Possible "Feedback" is ;
(A) Status bar message when link is clicked or mouseover.
(B) Permission/denial dialog when link is clicked.
    UI to enable/disable this dialog is also required.

(B) is better(probably IE does), but I think (A) is sufficient.


Reproducible: Always
Steps to Reproduce:

Updated

13 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 1

13 years ago
Note: Inhibiting of opening of cross site link to frame is introduced by
security Bug 246448.
> Bug 246448 : can spoof framed sites by changing frame contents

I found Bug 249751 which is <iframe> case after fix of Bug 246448. 
*** Bug 251804 has been marked as a duplicate of this bug. ***
Assignee: bross2 → nobody
(Reporter)

Updated

10 years ago
Depends on: 84128
I don't believe docshell.frameloadcheck.disabled is a recognized pref anymore...WADA, is this bug still valid?
Flags: needinfo?(m-wada)
(Reporter)

Comment 4

4 years ago
(In reply to Mike Conley (:mconley) from comment #3)
> I don't believe docshell.frameloadcheck.disabled is a recognized pref anymore...

I can't find docshell.frameloadcheck.disabled(no source contains "frameloadcheck" in MXR), but can see security.checkloaduri etc.

I don't think bug for old behaviour based on already removed setting & changed code is useful. Closing as WOKSFORME, because security related features are re-written and perhaps are already improved very much. 



WADA, is this bug still valid?
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(m-wada)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.