265692 - mouseover of <a href> </a> link with other tags inside does not show url in status bar

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect, P1)

Description

[Jason Ellis]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20041022 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20041022 Firefox/1.0

Mousing over an image link does not show the url in the status bar.

Reproducible: Always
Steps to Reproduce:
1. Go to http://slashdot.org/
2. Mouse over the slashdot logo at the top left (or any other image link)

Actual Results:  
URL is not displayed in the firefox status bar

Expected Results:  
URL is displayed in the firefox status bar

This bug does not appear in the 20041020 aviary build, but it does appear in
20041022.

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20041022 Firefox/1.0

Comment 1

[Nickolay_Ponomarev]

confirming with
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041022 Firefox/1.0

Comment 2

[Phil Ringnalda (:philor)]

Hadn't yet regressed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.3) Gecko/20041021 Firefox/1.0

Comment 3

[Michael Lefevre]

just a guess, but maybe the fix for bug 265176 caused this (I don't really know,
but nothing else looks likely)?

Comment 4

[Peter van der Woude [:Peter6]]

severity -> MAJOR
Given all efforts to make FF as secure as possible it is not a good thing if you
can't see where a link leads to.

Comment 5

[u58943]

its not only image links either.  another example, http://astalavista.box.sk/

on the left hand side the links from "Get your astalavista shirt now!" and below
do not show the url. and none of the links on the right hand pane show any url
either.

One of the main reasons I switched to FF was it was impossible for a site to
hide a url from the status bar so I could always see where it was going, so I'd
agree with peter, its a severe bug.

Comment 6

[Peter van der Woude [:Peter6]]

Attachment: testcase

any tag inside <a></a> makes the statusbar link disappear

Comment 7

[Peter van der Woude [:Peter6]]

title->
mouseover of <a href> </a> link with other tags inside does not show url in
status bar

Comment 8

[Boris Zbarsky [:bzbarsky]]

It looks like nsEventStateManager::DispatchMouseEvent needs the same sort of
change as nsEventStateManager::CheckForAndDispatchClick got in bug 265176.  As
things stand, various mouse events are ending up untrusted when they should not be.

There are also similar issues in nsEventStateManager::GenerateDragGesture (for
the NS_DRAGDROP_GESTURE event ends up untrusted), and a lot of the focus/blur
stuff seems busted to me to.

The real solution to all this, imo, is to make the nsEvent constructor REQUIRE
the trusted flag.  Then code can't accidentally screw it up.

I'm upgrading the severity here, since this rather breaks the anti-spoofing
benefits of the status bar.

Comment 9

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Attachment: patch

Comment 10

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Attachment: patch getting more cases

Comment 11

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 163153 [details] [diff] [review]
patch getting more cases

>Index: nsEventStateManager.cpp

>         event2.isMeta = aEvent->isMeta;
>+        event.internalAppFlags |=
>+          aEvent->internalAppFlags & NS_APP_EVENT_FLAG_TRUSTED;

event2 here.  r=bzbarsky with that fixed, but I was serious about making this
less error-prone by forcing this flag in the nsEvent constructor.  Please file
a followup bug on that?

Comment 12

[Johnny Stenback (:jst)]

Comment on attachment 163153 [details] [diff] [review]
patch getting more cases

sr=jst

Comment 13

[Asa Dotzler [:asa]]

Comment on attachment 163153 [details] [diff] [review]
patch getting more cases

a=asa for aviary checkin and 1.7 branch checkin.

Comment 14

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Fix checked in to trunk, 2004-10-23 15:28 -0700.
Fix checked in to AVIARY_1_0_20040515_BRANCH, 2004-10-23 15:28 -0700.
Fix checked in to MOZILLA_1_7_BRANCH, 2004-10-23 15:28 -0700.

Comment 15

[sairuh (rarely reading bugmail)]

vrfy'd fixed on linux fc2 2004102409-0.9+.

Comment 16

[u58943]

This does not appear to be fully fixed.  I have made a test case here
http://www.darkcity.nildram.co.uk/test.htm which shows 2 links, and nothing
comes up in the status bar what so ever when you mouse over them, same security
risk as before.

I know very little html and I basically copied this from a site so whatever the
reason for it is, this does happen in real browsing and isnt just a flawed
unusual testcase.

Can something not be done about this?  it appears to be still quite easy for
someone to hide a url completely.

Comment 17

[Hussam Al-Tayeb]

(In reply to comment #16)
> This does not appear to be fully fixed.  I have made a test case here
> http://www.darkcity.nildram.co.uk/test.htm which shows 2 links, and nothing
> comes up in the status bar what so ever when you mouse over them, same security
> risk as before.

Same here. I'm still seeing this in some sites. Maybe thisshould be reopened?

Comment 18

[Asa Dotzler [:asa]]

reopening

Comment 19

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

That test page is using Javascript to set the status bar.  Pages have always
been able to do things like that.  The fact that the text isn't showing up may
be a recent regression, but it's not *this* regression.

Comment 20

[u58943]

if it is a regression it isnt recent, it happens on my 11th oct build as well.

The thing is under javascript options, I have "change status bar text" disabled
so it should show the correct url surely.

This is perhaps another bug, but its one that needs looking at before 1.0 imo
otherwise anyone wanting to hide any url from firefox will simple use this method.

Comment 21

[dolphinling]

Just a note, I've filed bug 266034 on that other issue.

reverifying