Closed
Bug 266034
Opened 21 years ago
Closed 21 years ago
onmouseover return true blocks url being displayed in status bar
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
People
(Reporter: aguertin+bugzilla, Assigned: jst)
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
|
524 bytes,
text/html
|
Details |
If a link has onMouseOver="return true;" the url is not displayed in the status
bar.
This looks like bug 48317/bug 31997, except those were resolved fixed years ago.
If this is a regression, it occured before 1.7b.
This was originally reported in a comment to bug 265692.
Testcase coming.
|
||
Comment 1•21 years ago
|
||
see testcase with 3 examples
|
|
||
Comment 2•21 years ago
|
||
Attachment #163360 -
Attachment is obsolete: true
|
||
Comment 3•21 years ago
|
||
Well.. I seem to have found _a_ time this regressed. Sometime between
2002-01-09-06 and 2002-02-10-06. Not sure whether it got refixed and
re-regressed since then...
In that range, jag's checkin to nsBrowserStatusHandler.js (revision 1.20) is a
likely culprit...
|
|
||
Comment 4•21 years ago
|
||
I tracked this some more. The problem is that in the |return true;| case the
code in nsGenericHTMLElement::HandleDOMEventForAnchors sees
nsEventStatus_eConsumeNoDefault as the event status (!). If I return false
instead, I get nsEventStatus_eIgnore.
Those seem very backwards to me. Returning false is what should put us in the
eConsumeNoDefault status, no?
And in any case, we should be doing the MOUSE_ENTER_SYNTH thing no matter what,
I would think.
|
||
Comment 5•21 years ago
|
||
bz: onmouseover is backwards, for reasons that even I don't clearly recall.
Joki might -- something about wanting return true to affirm that the status is
being set by the handler. Someone should verify that IE still matches this
backward behavior of Netscape 4.
/be
|
|
||
Comment 6•21 years ago
|
||
OK. So the point, then, is that we should ignore the event status in this code
for MOUSE_ENTER_SYNTH/MOUSE_EXIT_SYNTH events, I guess.
|
||
Updated•21 years ago
|
Flags: blocking1.8a5?
Flags: blocking-aviary1.0?
|
|
||
Updated•21 years ago
|
Flags: blocking1.8a5?
Flags: blocking-aviary1.0?
|
|
||
Comment 8•21 years ago
|
||
I just noticed something. On IE6 SP2, this bug also appears.
I opened https://bugzilla.mozilla.org/attachment.cgi?id=163361&action=view in
IE6SP2 and when I hover with the mouse over the links, nothing is displayed in
the statusbar.
surely this should be blocking 1.0 as its exactly the same security risk and
implications as the bug which brought about this one...
https://bugzilla.mozilla.org/show_bug.cgi?id=265692
|
||
Comment 11•21 years ago
|
||
putting on the radar until we know more
Assignee: events → jst
Flags: blocking-aviary1.0? → blocking-aviary1.0+
|
||
Comment 12•21 years ago
|
||
Ewok: this doesn't seem like a security risk to me. Bug 265692 was only a
"security risk" if you had JavaScript turned off.
Keywords: regression
|
||
Comment 13•21 years ago
|
||
huh? Bug 265692 had nothing what so ever to do with javascript and was a
security risk not being able to see the url you are going to be taken to, this
bug has the same effect in that you also cannit see the url you are going to,
hence a security risk as much as Bug 265692 was.
|
Assignee | |
Comment 14•21 years ago
|
||
This is not a security bug, never was, and I don't see how bug 265692 was
either. Browsers have *always* let you prevent displaying the URL in the status
bar using onmouseover handlers etc, that's ancient, and I don't see how this is
a regression either. IE works like this, so does Firefox, and so does Mozilla
1.4. I don't see anything to fix here at all. Marking INVALID.
Status: NEW → RESOLVED
Closed: 21 years ago
Flags: blocking-aviary1.0+ → blocking-aviary1.0-
Resolution: --- → INVALID
|
Reporter | |
Comment 15•21 years ago
|
||
Woah... whether or not this is a security bug it _is_ still irrational behavior,
and therefore a bug. (Unless we _want_ sites to be able to do this?)
Reopening, though I won't question the blocking flag.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
Assignee | |
Comment 16•21 years ago
|
||
Sites have *always* been able to do this, IOW we want them to be able to do this
unless we want to change de-facto standard browser behaviour right now. I see
little reason for that.
Status: REOPENED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → INVALID
|
||
Comment 17•21 years ago
|
||
Resolving this as INVALID is wrong. When dom.disable_window_status_change is
set to "true", sites may NOT directly or indirectly manipulate the status bar
in order to prevent the URL from being displayed.
This bug should be reopened and then marked as a duplicate of bug 40838.
Fixing this would be even better, of course.
|
|
Assignee | |
Comment 18•21 years ago
|
||
Ah, right you are. Reopening. Sorry for not realizing that earlier, and thanks
for the number of the dupe...
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
Assignee | |
Comment 19•21 years ago
|
||
... and duping. Please followup in bug 40838.
*** This bug has been marked as a duplicate of 40838 ***
Status: REOPENED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → DUPLICATE
|
||
Updated•6 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•