Closed Bug 348373 Opened 18 years ago Closed 18 years ago

Location bar should be visible by default in script-initiated windows

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 337344

People

(Reporter: bugzilla, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Simple testcase
968 bytes, text/html
Details 
It is somewhat contradictory that Gecko-based browsers make the effort of identifying https address (with a yellow-brownish background-color in location bar) and implement anti-phishing measures and that, on the other hand, it still allows by default secondary window (via window-open()-script initiated) to have missing/removed location bar.

"We think the address bar is also important for users to see in pop-up windows. A missing address bar creates a chance for a fraudster to forge an address of their own. To help thwart that, IE7 will show the address bar on all internet windows to help users see where they are."
coming from IE7 Blog, November 2005, Better Website Identification
http://blogs.msdn.com/ie/archive/2005/11/21.aspx
I can upload a screenshot of the MSIE 7 (beta 3: build date is June 29th 2006) security setting: by default, MSIE 7 (beta 2 and beta 3) address bar default setting is visible.

In MSIE 7 beta 2 and beta 3: 
Tools/Internet Options/Security tab/Internet Zone/Custom Level... button/Miscellaneous section/Allow webpages to open windows without address and status bars/"Disabled" radio button is checked by default

"hiding the location bar is a security problem, as it facilitates URL
phishing." coming from bug 241571 comment #0

Actual results: 
a) Tools/Options.../Content tab/Advanced... button (javascript options: allow scripts to:) does not even list "Hide Location bar" in Firefox 2.0b1 rv:1.8.1b1 build 20060810 BonEcho
b) Edit/Preferences.../Advanced category/Scripts & Plugins/Allow scripts to: Hide the location bar in Seamonkey 1.5a rv: 1.9a1 build 2006080910 under XP Pro SP2

Expected results: 
a) Tools/Options.../Content tab/Advanced... button (javascript options: allow scripts to:) "Hide Location bar" with its checkbox is unchecked (by default) in Firefox 2.x
b) Edit/Preferences.../Advanced category/Scripts & Plugins/Allow scripts to: Hide the location bar with its checkbox unchecked (by default) in Seamonkey 1.x

Notes:
======
1- Compatibility with IE 7 ... just like with status bar visibility.

2- I was not sure if this could be considered as a security issue; I'll let you guys decide to confirm or not this bug.

3- Somewhat related to this bug are:
bug 107949
bug 241571
bug 75158
Attached file Simple testcase 
Load testcase, then click the "Go to bug 75158" link. The created popup/secondary window will not have a location/url bar. 

In about:config, the preference name
dom.disable_window_open_feature.location
should be set (status) to default.
The hostname was added to the title of windows without location bars to address this kind of spoofing (bug 304388).

To the extent that's not sufficient bug 337344 covers this request.

*** This bug has been marked as a duplicate of 337344 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: