drag n drop text on new js window location bar lets user change url




10 years ago
10 years ago


(Reporter: osvf, Unassigned)


Firefox Tracking Flags

(Not tracked)





10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv: Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv: Gecko/2008070208 Firefox/3.0.1

When you open a new window via javascript, if the user drag and drop any text, including pdf text, onto location bar, the user may change location url and navigate for instance into google or another search engine. The location bar shows a "go to" icon "->" to navigate outside the website, but if you try to change that url by typing, the location bar is blocked.

Reproducible: Always

Steps to Reproduce:
1. Open a window via javascript, try open a PDF file, for instance.
2. Drag any text into location bar and clik the arrow icon.
3. You are outside the original site.
Actual Results:  
The user can navigate outside the original site, when no link is placed to do that, of course.

Expected Results:  
The user must not navigate outside.

The user just can navigate via hyperlink to another page or to the same page, via anchor, not dragging and dropping text into location bar. Instead, why the location bar is locked to typing?
The readonly location bar isn't meant to prevent users from navigating away, it's just meant to be less intrusive than the full location bar. I suppose it doesn't really need to be readonly, though.
I think it's good to keep the readonly-ness as we don't want to encourage users to navigate in popups.

At the same time, fixing this bug doesn't seem worthwhile... you could still drag links to the content area.
Agreed. INVALID because the original premise was flawed. Feel free to file a bug about making the location bar not readonly for popups if you want.
Last Resolved: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.