Closed Bug 280481 Opened 20 years ago Closed 20 years ago

Spoofing the info bar is easy

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 252257

People

(Reporter: csthomas, Assigned: bugzilla)

References

(
URL
)

Details

See the URL.  It's very easy to make a convincing spoof of the info bar.

(23:52:16) <bz> CTho: firefox security, for now.  cc me, dveditz, jruderman,
jst, I guess
(23:52:22) <bz> Ctho: and mconnor

Note that bug 270443 is adding the same thing to Seamonkey.
So we have three questions here:

1)  What is the danger in the info bar being spoofable?
2)  What can we do to mitigate said danger?
3)  What can we do to prevent the info bar being spoofed, if needed?

Thoughts so far:

1)  Sites can spoof plugin finder and other informational "dialogs".  Users may
    have more trust in infobar-alikes than in random other content.
2)  Not sure.
3)  The only thing I've thought of so far is putting the info bar somewhere
    where sites can't possibly make it appear.  Say between the menubar and the
    URL bar (or above the URL bar on the mac).  This has the obvious drawback of 
    not playing nice with tabbrowser.....
"Firefox has determined that this site is secure."

Possible Solutions:
Position Info Bar so that page cannot paint there, e.g. above tabs.
(Not completely safe for naive users.)

Bug was my idea, removing security flag per policy.
Group: security

*** This bug has been marked as a duplicate of 252257 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.