378554 - A simple JavaScript disables the location bar which might help phishing.

Status: RESOLVED DUPLICATE of bug 337344

(Firefox :: Toolbars and Customization, defect)

Description

[Dirk Knop]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

A simple JavaScript like on the site after clicking the "continue"-link on the URL mentioned disables the address bar in firefox 2. The Script is as simple as:
function Start(page) {
OpenWin = this.open(page, "CtrlWindow", "ini,toolbar=yes,location=no,status=yes,menubar=yes,scrollbars=no,resizable=yes");
}

I didn't see this before, also I thought hiding the address bar in firefox 2 is not that easy anymore.

Reproducible: Always

Steps to Reproduce:
1. Go to http://gv.com.hk/preview/.tmp/ and follow the link "continue" on that page.
2. A new popup window appears without a location/address bar.
3.
Actual Results:  
The location/address bar is missing.

Expected Results:  
The address/location bar is still there, ignoring the javascript properties.

Comment 2

[Daniel Veditz [:dveditz]]

I'm not convinced this is a pure duplicate. Sure, fixing bug 337344 would in fact fix this one (so I'll mark it depends on), but there's possibly an alternate fix if we have to wait until FF3 for 337344 UI.

Part of the visual problem here is that toolbar=yes,location=no means the search bar fills up the spot where the locationbar goes. Visually unless you look closely at it looks fairly normal. Would work especially well for spoofing Google or whatever the user's default search engine was. Another option would be to make the search bar go away at the same time as the location bar, or to prevent it from expanding into the empty space.

Comment 3

[Daniel Veditz [:dveditz]]

Bug 337344 is now fixed on trunk (FF3). No one's going to do extra work for this so dupe it is...