Closed Bug 254187 Opened 21 years ago Closed 20 years ago

Even with pref dom.disable_window_status_change=true, it is possible to change statusbar, using dom level2 events.

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040801 Firefox/0.9.1+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040801 Firefox/0.9.1+ Using dom level2 events, you can create a mouseover event. When you create a mouseover event at a link, the statusbar text changes to the text of the href attribute that link has. This could be used to spoof the statusbar, even when the user (or the browser) has the dom.disable_window_status_change preference set to true. See testcase url. Reproducible: Always Steps to Reproduce: 1. Visit testcase url. 2. 3. Actual Results: The statusbar shows "http://trustme.com/This is evil status bar text". Expected Results: No statusbar text, or the statusbar text you get, by hovering over the links.
Summary: Even with pref dom.disable_window_status_change=true, it is possible to change statusbar, using dom level2 events. → Even with pref dom.disable_window_status_change=true, it is possible to change statusbar, using dom level2 events.
This is definitely a bug. The question is what to do about it. Perhaps when dom.disable_window_status_change is enabled then the status bar should never change because of link mouseovers. For example, you could enclose the entire page in an A element whose HREF has the status you want...
But isn't the point of this pref to allow the user to see the URLs of links in the statusbar?
Hmm. Then what do you suggest?
After I opened the test case all pages within that window (i.e. all other tabs) show for links at the status bar the custom link text (after a short delay, first you can see for 200 ms the original and correct link text due to the setInterval delay).
This doesn't seem to be happening anymore, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041024 Firefox/0.9.1+
The url testcase doesn't work anymore, and I've lost my testcase (stupid of me, I know). But anyway, my last observation was that it is wfm, so I'm marking this wfm.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.