439177 - Rogue websites can resize Firefox window

Status: RESOLVED DUPLICATE of bug 144069

(Firefox :: Tabbed Browser, defect)

Description

[Jeff Garzik]

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008043010 Fedora/3.0-0.60.beta5.fc9 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008043010 Fedora/3.0-0.60.beta5.fc9 Firefox/3.0b5

A single website can force the entire X11 browser window to be resized, even if other websites are opened in multiple tabs.

Rogue websites can make the browser super-tiny, and broken websites maximize the window size.

Either way, a single website can control the browsing experience for /other, unrelated/ websites.

Reproducible: Always

Steps to Reproduce:
1. Open browser, and DO NOT make the window fill the entire screen (i.e. do not maximize).  Ensure some of your desktop remains visible.
2. Open multiple websites in multiple tabs.
3. Visit the URL given.
4. Watch browser window, and all websites opened in all tabs, resize to the dimensions requested.
Actual Results:  
Overall browser window resized.

Expected Results:  
Do not honor resize request, because it affects unrelated websites.

Honestly, IMO, this is a mild security issue.

Comment 1

[Matthias Versen [:Matti]]

This no security issue at all.
Tools/Options/Content/[x] Enable Javascript...->Advanced/[ ]Move or resize existing windows

-> invalid (no bug)

Comment 2

[Matěj Cepl]

I cannot reopen this bug, but closing it as invalid is IMHO not honest -- if it is not security bug be it (it's splitting of hair anyway), but to have this as default is IMHO very much bug.

Comment 3

[Matthias Versen [:Matti]]

you are right, it's a dupe of bug 144069
The JS function to resize the window is something from the pre-tab innovation.
Not supporting or block it breaks web pages, allowing it conflicts with tabs.
The current solution is the best solution: doesn't break pages but as user you can disable it.

That is the reason why bug 144069 is 6 years old