284551 - SSL spoofing vulnerability: status bar disappears in small windows; popups can spoof the SSL lock.

Status: VERIFIED FIXED

(Core :: Layout: Images, Video, and HTML Frames, defect)

Description

[Ka-Ping Yee]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

When a window is less than 128 pixels high, the status bar is hidden.
This is bad because the status bar contains critical security information.
This is especially bad because Javascript can open popup windows small
enough to hide the status bar, and spoof the SSL security indicator in
the status bar.  See http://zesty.ca/popup/ for an example.

Javascript can also prevent the user from resizing the window or from
seeing the menu bar, so there is really no way to get the status bar back.

(This is also inconvenient because the horizontal scrollbar disappears
in the same way.)

The best and most straightforward solution is to ensure that the status
bar is always visible.

Reproducible: Always

Steps to Reproduce:
1. Open a new Firefox window (Ctrl-N).
2. Ensure that the status bar is turned on (View -> Status Bar).
3. Grab the lower edge of the window and shrink it vertically.
Actual Results:  
When the window height is reduced beyond a certain point (128 pixels), the
status bar will disappear (it will refuse to move up any further).

Expected Results:  
The status bar should not disappear.  It should always occupy the lowest 20 or
so pixels of the window height.

(Also, if the menu bar and status bar happen to be turned off, there should be a
way for the user to turn them back on.)

Comment 1

[Daniel Veditz [:dveditz]]

The status bar shouldn't disappear, confirming. It's not a perfect spoof because
as of Firefox 1.0.1 the site appears in the title bar, but people are likely to
be misled by the fake status bar all the same.

The Suite has a similar issue, but instead of having a fixed content height of
~128px it looks like ~122px.

Comment 2

[neil@parkwaycc.co.uk]

Doh! I've got windows diverted into tabs ;-)
The problem was fixed on the trunk - bug 217477 - to fix the mail status bar!

Comment 3

[Daniel Veditz [:dveditz]]

Marking blocking 1.0.2, otherwise this one seems to keep getting forgotten. I'd
rather have drivers explicitly minus than forget to plus.

This bug originated as a public thread on n.m.p.security, the confidential flag
is somewhat pointless at this point.

Comment 4

[Christopher Aillon (sabbatical, not receiving bugmail)]

Is this an issue for seamonkey too?

Comment 5

[Daniel Veditz [:dveditz]]

Yes seamonkey has a similar issue, see comment 1

Moving to Core so we can set the right flags. Besides the fix is in layout as
Neil pointed out.

Comment 6

[Daniel Veditz [:dveditz]]

Attachment: Neil's patch from bug 217477, r=roc, sr=jst

Neil's patch from bug 217477 (updated to branch line numbers). Copied here for
branch-checkin approval bookkeeping.

Comment 7

[Asa Dotzler [:asa]]

Comment on attachment 177462 [details] [diff] [review]
Neil's patch from bug 217477, r=roc, sr=jst

a=asa

Comment 8

[Daniel Veditz [:dveditz]]

Fix checked in to 1.7 and aviary-1.0.1 branches. Trunk was already fixed (bug
217477).

Comment 9

[sairuh (rarely reading bugmail)]

testing on linux fc3, the test case now displays the status bar, so looks fixed
to me. tested with 2005031707-1.0.2 firefox and 2005031710-1.7.6 mozilla builds.

Comment 10

[Tracy Walker [:tracy]]

Status bar is displaying with unsecure icon on Mac Fx 1.0.2 and Moz 1.7.6. Also
looks good on Windows 1.7.6

Comment 11

[Ka-Ping Yee]

(In reply to comment #10)
> Status bar is displaying with unsecure icon on Mac Fx 1.0.2 and Moz 1.7.6. Also
> looks good on Windows 1.7.6

Thank you for addressing this bug so quickly.  Way to go!