Closed Bug 298254 Opened 20 years ago Closed 20 years ago

By default, don't allow scripts to hide status bar or location bar

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: david, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 The given URL (http://channel9.msdn.com/ShowPost.aspx?PostID=78989) shows that the current version of Firefox (1.0.4) shows some "insecure by design" preferences allowing (whilst clearly hoax, due to the target being IE) fake address bars being displayed. I feel that Firefox should have tighter controls like IE SP2's, which include not allowing Javascript to remove or hide the address bar or the status bar. On a similar note, there are issues when you want the tab-bar to appear but they don't because Javascript has disabled the toolbars. So basically, my point is that in an OOB configuration, Firefox should not allow Javascript to modify the location bar or the status bar in any way. Reproducible: Always Steps to Reproduce: See information on given forum thread.
Firefox already does not allow script to remove the status bar. This matches IE's behaviour; both IE and Firefox allow script to remove the address bar. This is a compromise between security and the wishes of web application authors. See various other bugs for the long process by which it was decided. I very much doubt we are going to reverse our decision and make the address bar compulsory also. Gerv
There has been plenty of public discussion about this issue, so this bug shouldn't be hidden. For example, see bug 252811, bug 22183, and bug 259192. There has also been private discussion on the Mozilla security group mailing list and public discussion in newsgroups. I agree with you that web pages should not be able to hide the location bar by default, but I lost that argument a while ago and I don't think it's time to revisit it. WONTFIX.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Summary: Firefox needs more "secure by default" preferences → By default, don't allow scripts to hide status bar or location bar
You need to log in before you can comment on or make changes to this bug.