Closed Bug 255388 Opened 20 years ago Closed 20 years ago

window can be resized to hide statusbar or other ui components

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dragon, Assigned: bugzilla)

References

Details

User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040811 Firefox/0.9.1+ Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040811 Firefox/0.9.1+ A window or popup can be resized so that important parts of the browser-interface can be hidden. For example a site could resize my main browser window to hide the tab bar or launch a popup that is so small that the statusbar is not visible any more. This basically blocks Bug 252811 and Bug 245406, because although the statusbar cannot be hidden by default anymore, it can not be seen if the popup has a very small size. Even if you do not allow scripts to move or resize existing windows, a script could still open such a small popup via window.open. Example (with and without ssl): http://www.dragosan.net/test/mozilla/odd_resize/ https://ssl.webpack.de/dragosan.net/test/mozilla/odd_resize/ Reproducible: Always Steps to Reproduce:
Summary: window can be resized in such a way that the statusbar or other ui components can be hidden → window can be resized to hide statusbar or other ui components
Related bugs: Bug 84754 Malicious javascript can be used to hide a window and pop up ads, etc. Bug 104303 script can make a window larger than the screen (Linux) Bug 118717 Never let sites position windows outside the screen Bug 161903 [RFE] Add pref for ignoring window size options on window.open() Bug 176320 Minimal innerWidth/innerHeight values for popup windows Bug 239876 combined specification of one inner and one outer dimension of a popUp window is not honored This looks like dupe of Bug 118717.
Blocks: 245406, 252811
OS: Windows 98 → All
Hardware: PC → All
Version: unspecified → 1.0 Branch
*** This bug has been marked as a duplicate of 118717 ***
No longer blocks: 245406, 252811
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Would someone please explain why this bug should be a duplicate of 118717. The former is already fixed since Moz 1.7 and is about positioning windows outside the screen. Whereas this bug is about resizing windows in Firefox to small sizes for example to hide the statusbar, ignoring the pref that should restrict that (see 252811). The statusbar is still there, but not visible in the window, as it should. You can do the same to hide the tab bar, which can be very annoying, and you could even use it to open hidden windows in new tabs, too, if someone has set all links to open in tabs instead of windows via an extension. Perhaps I missed something, however AFAIK that this bug is not fixed, which is implied by marking it a duplicate of a fixed bug, so the bug should be reopened.
Blocks: 245406, 252811
Status: VERIFIED → UNCONFIRMED
Resolution: DUPLICATE → ---
This bug is critical. One can use this bug for "phishing" purposes ! One can just resize FireFox main window to hide its statusbar. He then can also draw a fake statusbar at the bottom of the main window. He can then force you to download and execute anything (the fake statusbar can display wrong information about the link; users will blindly click on this link).
Flags: blocking-aviary1.0?
resizing the main window leaves the toolbars untouched (1.0PR) but the pop-up indeed hide his stuff. Making it large wil show the status bar, but nog the menu bar. At least the location bar should be visible in pop-ups... (i noticed this already in 0.9.3 there the tabbed bar is hidden...)
Hrnm, I definitely think we should do something about this. XUL gurus, is there any way to get the statusbar to be the "anchor", so that if the window is too small, the main content disappears, instead of the status bar?
Status: UNCONFIRMED → NEW
Ever confirmed: true
If dom.disable_window_open_feature.status is true the statusbarheight should be fixed preventing spoofing/phishing if dom.disable_window_open_feature.status is false the statusbarheight can be left the way it is now. (users responsibility)
> is there any way to get the statusbar to be the "anchor" Not that I'm aware (though perhaps there should be). The problem is that iframes have a height of 150 by default. Setting min-height: 1 in xul.css should allow the browser frame to shrink, but there might be other issues.
Blocks: 262366
*** Bug 264335 has been marked as a duplicate of this bug. ***
If I open two tabs in a small window (thus with hidden statusbar), load a page such as mozilla.org into the first tab and close the first tab, the status bar and horizontal scroll bar appear. After this, whatever the size of the window, the components do not disappear again (unless there is no room for them).
Could the fix in 217477 (not checked into aviary) also help here? Seems to have helped for suite, that also had this bug.
Flags: blocking-aviary1.0? → blocking-aviary1.0-
It's the browsers responsibility to avoid webpages to mimic parts of the interface that could be harmfull. This now involves a lot of reports here but also on security-related websites. I'd say the menu, toolbar and addressbar must never be hidden. Bookmarks and tabs are harmless I suppose. ********* More important, why not use the addressbar instead of the statusbar/informationbar for notices. In the same way it is now used to signal that a website is secure, by changing the backgroundcolor and displaying an icon on the right side of the addressbar. For example the popup-blocker could make it turn red with the crossed-box icon, extension related stuff could make it green with the puzzle icon etc. ********* This way the statusbar can also be harmless to be hidden and there would be no need for the information bar (also see bug #252257). The user can depend on the information being displayed and available in a consistent/reliable way. There could be extra information under the icon's tooltip and this could popup for a couple of seconds when an event takes place. --------- Lots of stuff could be added this way, also by cleverly stacking these statuses in such way that the most relevant is shown at a time. For instance the popup blocker could be top-most but dissappear after a while, so could the 'extension installation'. Meanwhile the secure/insecure icon could be show as a smaller, secondary icon and then after a while swap then so the other notice remains visible. ..sorry for the long comment..
The bug seems to have been fixed by now. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Status: NEW → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
correction resolution --> wfm
Status: REOPENED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → WORKSFORME
This was serendipitously fixed by the checkin for bug 217477.
On the branches it was not serendipitous, we explicitly applied that patch to fix bug 284551 (which is a dupe of this one -- sorry I didn't notice when I was cc'd. I'm cc'd on a lot of bugs).
You need to log in before you can comment on or make changes to this bug.