Closed
Bug 378532
Opened 18 years ago
Closed 13 years ago
It's possible to make all browser chrome invisible
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: csthomas, Unassigned)
References
Details
(Keywords: qawanted, Whiteboard: [sg:needinfo] (sg:moderate-to-high spoofing if true?))
It's possible to blow away all the browser chrome from content. It has something to do with popups - I hit this repeatedly while working on testcases for bug 326877 and bug 374569, but didn't file it because I had no useful info. I still have no useful info, but dveditz confirmed it:
<dveditz> whoa, I'm in a strange state
<dveditz> back on your evil page I middle-clicked in the real bank site's tab to close it, and the chrome totally disappeared
Filing as a security bug since you could theoretically display anything you want. As far as I can tell, the state of the browser is pretty busted though, so an exploit might be difficult.
Steps to reproduce:
1. No clue. Play around with malicious <popup> testcases.
Reporter | ||
Comment 1•17 years ago
|
||
Since G30rgi's playing with popups (bug 394743) maybe he'll run into this too....
Comment 2•17 years ago
|
||
this may be related to
Bug 373314 – strange transparent areas in firefox caused by xul
Reporter | ||
Comment 3•17 years ago
|
||
Ok, I can reproduce this now (or something like it) on latest-1.8 and latest-trunk. The behavior isn't exactly the same as what I got on Windows, but it's close enough to use this bug.
Load http://ctho.ath.cx/tmp/crash.xul
javascript:setTimeout(function() { alert("Hi"); }, 500);
click the button before the page is replaced with the return value from setTimeout (most likely "2").
"javascript:for (var i=0; i<100000; i++) ; 5" works too, so the alert is irrelevant.
Flags: blocking1.9?
Comment 4•17 years ago
|
||
-'ing this as the issue also exists in Fx2.
Flags: blocking1.9? → blocking1.9-
Comment 5•17 years ago
|
||
Can anyone other than CTho reproduce this in recent branch or trunk builds? Maybe I'm missing something in comment 3 (it's clearly not crash.xul alone since earlier fixes safely contain that content in chrome) but I couldn't figure when to inject the javascript that would make any difference.
If hiding chrome is still possible this is probably an sg:moderate or sg:high since any site content could be spoofed including any EV cert indicia we come up with.
Flags: blocking1.9- → blocking1.9?
Keywords: qawanted
Whiteboard: [sg:needinfo] (sg:moderate-to-high spoofing if true?)
Reporter | ||
Comment 6•17 years ago
|
||
I couldn't reproduce it on Windows using those steps or anything similar I tried (I even tried older builds from before the content-popups-over-chrome fix in April). Must not be this bug. I filed bug 406680 on the steps in comment 3.
Comment 7•17 years ago
|
||
Per conversation with dveditz, we can't reproduce. If we can consistently reproduce this issue, please re-nom.
Flags: blocking1.9? → blocking1.9-
This should be fixed now that bug 322074 is fixed.
Comment 9•13 years ago
|
||
Resolving this as incomplete since it should be fixed and it hasn't been touched in four years.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INCOMPLETE
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•