User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040811 Firefox/0.9.1+ Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040811 Firefox/0.9.1+ A window or popup can be resized so that important parts of the browser-interface can be hidden. For example a site could resize my main browser window to hide the tab bar or launch a popup that is so small that the statusbar is not visible any more. This basically blocks Bug 252811 and Bug 245406, because although the statusbar cannot be hidden by default anymore, it can not be seen if the popup has a very small size. Even if you do not allow scripts to move or resize existing windows, a script could still open such a small popup via window.open. Example (with and without ssl): http://www.dragosan.net/test/mozilla/odd_resize/ https://ssl.webpack.de/dragosan.net/test/mozilla/odd_resize/ Reproducible: Always Steps to Reproduce:
Summary: window can be resized in such a way that the statusbar or other ui components can be hidden → window can be resized to hide statusbar or other ui components
*** This bug has been marked as a duplicate of 118717 ***
Would someone please explain why this bug should be a duplicate of 118717. The former is already fixed since Moz 1.7 and is about positioning windows outside the screen. Whereas this bug is about resizing windows in Firefox to small sizes for example to hide the statusbar, ignoring the pref that should restrict that (see 252811). The statusbar is still there, but not visible in the window, as it should. You can do the same to hide the tab bar, which can be very annoying, and you could even use it to open hidden windows in new tabs, too, if someone has set all links to open in tabs instead of windows via an extension. Perhaps I missed something, however AFAIK that this bug is not fixed, which is implied by marking it a duplicate of a fixed bug, so the bug should be reopened.
This bug is critical. One can use this bug for "phishing" purposes ! One can just resize FireFox main window to hide its statusbar. He then can also draw a fake statusbar at the bottom of the main window. He can then force you to download and execute anything (the fake statusbar can display wrong information about the link; users will blindly click on this link).
resizing the main window leaves the toolbars untouched (1.0PR) but the pop-up indeed hide his stuff. Making it large wil show the status bar, but nog the menu bar. At least the location bar should be visible in pop-ups... (i noticed this already in 0.9.3 there the tabbed bar is hidden...)
Hrnm, I definitely think we should do something about this. XUL gurus, is there any way to get the statusbar to be the "anchor", so that if the window is too small, the main content disappears, instead of the status bar?
Status: UNCONFIRMED → NEW
Ever confirmed: true
If dom.disable_window_open_feature.status is true the statusbarheight should be fixed preventing spoofing/phishing if dom.disable_window_open_feature.status is false the statusbarheight can be left the way it is now. (users responsibility)
> is there any way to get the statusbar to be the "anchor" Not that I'm aware (though perhaps there should be). The problem is that iframes have a height of 150 by default. Setting min-height: 1 in xul.css should allow the browser frame to shrink, but there might be other issues.
*** Bug 264335 has been marked as a duplicate of this bug. ***
If I open two tabs in a small window (thus with hidden statusbar), load a page such as mozilla.org into the first tab and close the first tab, the status bar and horizontal scroll bar appear. After this, whatever the size of the window, the components do not disappear again (unless there is no room for them).
Could the fix in 217477 (not checked into aviary) also help here? Seems to have helped for suite, that also had this bug.
13 years ago
Flags: blocking-aviary1.0? → blocking-aviary1.0-
It's the browsers responsibility to avoid webpages to mimic parts of the interface that could be harmfull. This now involves a lot of reports here but also on security-related websites. I'd say the menu, toolbar and addressbar must never be hidden. Bookmarks and tabs are harmless I suppose. ********* More important, why not use the addressbar instead of the statusbar/informationbar for notices. In the same way it is now used to signal that a website is secure, by changing the backgroundcolor and displaying an icon on the right side of the addressbar. For example the popup-blocker could make it turn red with the crossed-box icon, extension related stuff could make it green with the puzzle icon etc. ********* This way the statusbar can also be harmless to be hidden and there would be no need for the information bar (also see bug #252257). The user can depend on the information being displayed and available in a consistent/reliable way. There could be extra information under the icon's tooltip and this could popup for a couple of seconds when an event takes place. --------- Lots of stuff could be added this way, also by cleverly stacking these statuses in such way that the most relevant is shown at a time. For instance the popup blocker could be top-most but dissappear after a while, so could the 'extension installation'. Meanwhile the secure/insecure icon could be show as a smaller, secondary icon and then after a while swap then so the other notice remains visible. ..sorry for the long comment..
The bug seems to have been fixed by now. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Status: NEW → RESOLVED
Last Resolved: 14 years ago → 13 years ago
Resolution: --- → FIXED
correction resolution --> wfm
Status: REOPENED → RESOLVED
Last Resolved: 13 years ago → 13 years ago
Resolution: --- → WORKSFORME
This was serendipitously fixed by the checkin for bug 217477.
On the branches it was not serendipitous, we explicitly applied that patch to fix bug 284551 (which is a dupe of this one -- sorry I didn't notice when I was cc'd. I'm cc'd on a lot of bugs).
You need to log in before you can comment on or make changes to this bug.