Closed Bug 374129 Opened 17 years ago Closed 17 years ago

Firefox allows opening chromeless windows with XUL allowing for luring attacks (UI spoof)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 252198

People

(Reporter: msg, Unassigned)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

Firefox allows untrusted web sites to open a chromeless window that hosts XUL UI.  Using XUL UI one can construct an exact looking firefox UI the lurs the end user into browsing through the UI.

An example of XUL in a chromeless window can be seen via "http://www.faser.net/mab/remote.cfm" clicking on "Remote launch" on the right hand side.  The only mitigating factor is the user will be asked if they want to display the "popup".

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
XUL has nothing to do with the spoofing problem; a site could mimic XUL with HTML or SVG.  If this is fixed, it will most likely be by making more UI always-on (e.g. bug 337344).
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Summary: Firefox allows opening chromeless windows with XUL UI allowing for luring attacks → Firefox allows opening chromeless windows with XUL allowing for luring attacks (UI spoof)
You need to log in before you can comment on or make changes to this bug.