Closed Bug 252389 Opened 20 years ago Closed 20 years ago

Content border and scrollbar inconsistent with Windows

Categories

(Firefox :: Shell Integration, defect)

x86
Windows XP
defect
Not set
trivial

Tracking

()

RESOLVED WONTFIX

People

(Reporter: nrlz, Assigned: bugs)

References

Details

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616

The default Firefox theme on Windows does not conform to the Windows scrollable
component guidelines. The Firefox theme has the scrollable area at the same
depth of the surrounding window and the scrollbars are raised above the window.

Windows scrollable components, on the other hand, have a double inset border
around the scrollable area. The scrollbar is then placed at the same depth of
the content and inside the double inset border. This makes the scrollbar lower
than the depth of the window.

Ref: http://msdn.microsoft.com/library/en-us/dnwue/html/ch07d.asp

Reproducible: Always
Steps to Reproduce:



Expected Results:  
The default Firefox theme on Windows should conform to the Windows look and feel
with respect to scrollable components.

A current workaround is to include this in the "userChrome.css" file:
====
vbox#appcontent {
  border-right: 1px solid ThreeDHighlight;
  border-bottom: 1px solid ThreeDHighlight;
  border-left: 1px solid ThreeDShadow;
}
tabbrowser#content {
  border-top: 1px solid ThreeDDarkShadow;
  border-right: 1px solid ThreeDFace;
  border-bottom: 1px solid ThreeDFace;
  border-left: 1px solid ThreeDDarkShadow;
}
====
having a border in that situation is a usability loss, and not having the border
is a deliberate design decision (since you can move the mouse to the edge of a
maximized window and take action, instead of having to move slightly back).

The Windows UI guidelines you linked don't say anything about styling, just
functionality, which we match. 
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
How about removing the right edge border when the window is maximized and
restoring it when not maximized?

And only the right edge is affected by the scrolling; the top left and bottom
can have borders like normal with no usability loss.


Here's how to draw Windows component:
"Field Border Style:... You can also use the style to define the work area
within a window."
http://msdn.microsoft.com/library/en-us/dnwue/html/ch14c.asp
I'm gathering that this won't be changed.

What about the implications of a website faking the address bar or status bar? A
sort of phishing attack. They could open a new window with no status bar and
address bar with "window.open(,,'status=no,location=no')" and since the content
area has no borders separating the webpage with the browser chrome, the user
would not be able to tell the difference. The attacker could even fake the
'secure' icon in the taskbar and add a secure icon next to the address bar (FF
1.0 feature).
A demo. Works with the default Windows skin. Could be extended to sniff out
other OSes and their default skins.
CC: Ben Goodger

Notify of change.
you could easily hack up a scrollbar to look the same anyway (using
images+javascript), so the point is largely moot.  If a 1px border is our best
defense against phishing, we're in trouble.  There are much better solutions
coming through.  (e.g. we are probably going to follow suit with IE's lead and
not support status="no" (and make it a fixed part of the interface).

oh, and ben doesn't read bugmail.
> oh, and ben doesn't read bugmail.

I didn't know if anyone would be notified if I updated this post because I saw
that the CC field was blank so I added the email from the "assigned to" box to
the CC box. (I'm still not quite sure how the bugzilla thing works.) I couldn't
see your email anywhere in the text boxes above so I don't know what happens.

> you could easily hack up a scrollbar to look the same anyway (using
> images+javascript), so the point is largely moot.

My point wasn't that people could easily mimic the browser components, but that
they could be made indistinguishable from the real thing; even to an expert.
Normally an expert could identify something fake because it doesn't "flow" with
the browser chrome. But since the chome in this case is undifferentiated, the
expert could easily be fooled (unless if they were very sceptical and looked at
the source.)

> If a 1px border is our best defense against phishing, we're in trouble.

This was an example of how phishing could be aided. Of course altering it
wouldn't fix phishing totally. That's an unrealistic expectation since phishing
is mainly caused by untrained users. I don't expect a 1px border to defend
against phishing but it would allow the user to differentiate between web
content and browser components when the line is deliberately blurred.

Even if you don't think there are security repercussions (and I think there
are), there are at least inconvenience repercussions. Banner ads could be made
to look more like a browser dialog box.

> There are much better solutions
> coming through.  (e.g. we are probably going to follow suit with IE's lead and
> not support status="no" (and make it a fixed part of the interface).

If the status bar is going to remain on screen, which I think is a good idea but
too bad it isn't on by default, then so be it. Is the address bar also going to
be visible by default?
*** Bug 296584 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: