Closed
Bug 558485
Opened 14 years ago
Closed 7 years ago
Don't show the page's URL in the status bar for links in the plugin crash sadface placeholder
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(blocking2.0 -, blocking1.9.2 -, status1.9.2 wanted, status1.9.1 unaffected)
RESOLVED
INCOMPLETE
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
blocking1.9.2 | --- | - |
status1.9.2 | --- | wanted |
status1.9.1 | --- | unaffected |
People
(Reporter: ehsan.akhgari, Unassigned)
References
Details
(Keywords: sec-low, Whiteboard: [lorentz][sg:low spoof])
Attachments
(1 file, 2 obsolete files)
4.91 KB,
patch
|
Details | Diff | Splinter Review |
Tomer pointed out to me today that for some reason, we show the page's URL in the status bar when hovering on the links inside the plugin crash placeholder. Considering the fact that the UI is part of the chrome, we shouldn't probably do that. This _might_ make some spoofing attempts possible, I'm not so sure. Filing it in the security group for now.
Comment 1•14 years ago
|
||
sg:low at worst, not worth keeping private.
Group: core-security
Whiteboard: [lorentz] → [lorentz][sg:low spoof]
Comment 2•14 years ago
|
||
Code freeze for 1.9.2.4 is midnight tonight. We probably can't block the release for this but marking as wanted.
status1.9.1:
--- → unaffected
status1.9.2:
--- → wanted
Reporter | ||
Comment 3•14 years ago
|
||
Use html:span's instead of html:a's, and style them as links.
Comment 4•14 years ago
|
||
Comment on attachment 438564 [details] [diff] [review] Patch (v1) >-html|a { >+html|a, .pleaseSubmitLink, .reloadLink { > color: white; >+ text-decoration: underline; >+} Are there other 'a' elements that are matched here? color:white is probably not needed for .pleaseSubmitLink and .reloadLink if they are spans. >+.pleaseSubmitLink:hover, .reloadLink:hover { >+ cursor: pointer; :hover is superfluous
Reporter | ||
Comment 5•14 years ago
|
||
(In reply to comment #4) > (From update of attachment 438564 [details] [diff] [review]) > >-html|a { > >+html|a, .pleaseSubmitLink, .reloadLink { > > color: white; > >+ text-decoration: underline; > >+} > > Are there other 'a' elements that are matched here? > color:white is probably not needed for .pleaseSubmitLink and .reloadLink if > they are spans. For some reason, I thought that this CSS is included elsewhere as well, but I was wrong. > >+.pleaseSubmitLink:hover, .reloadLink:hover { > >+ cursor: pointer; > > :hover is superfluous You're right. Here's the updated patch.
Attachment #438564 -
Attachment is obsolete: true
Attachment #438573 -
Flags: review?(dao)
Attachment #438564 -
Flags: review?(dao)
Comment 6•14 years ago
|
||
Also: Add role="link" to the 2 new spans. Remove the "// XXX can we make the link target actually be blank?" from browser.js. The "<!-- link href set at runtime -->" comments can be removed from the XBL too (since it's not longer a confusing <a> without an href). And in browser.js's addLinkClickCallback(), the "evt.preventDefault();" can be removed (since the purpose was to avoid triggering the actual link).
Comment 7•14 years ago
|
||
Comment on attachment 438573 [details] [diff] [review] Patch (v2) @namespace html is now unused. >+.pleaseSubmitLink, .reloadLink { nit: line break after the comma Are the links still focusable? Probably not, so r-.
Attachment #438573 -
Flags: review?(dao) → review-
Comment 8•14 years ago
|
||
Also, I don't really see the spoofing risk...
Reporter | ||
Comment 9•14 years ago
|
||
This should make the link focusable, but doesn't.
Attachment #438573 -
Attachment is obsolete: true
Reporter | ||
Comment 10•14 years ago
|
||
Unassigning from myself. Someone else can probably get the patch and make it work.
Assignee: ehsan → nobody
Status: ASSIGNED → NEW
Updated•14 years ago
|
blocking1.9.2: ? → -
Comment 12•7 years ago
|
||
Resolving old bugs which are likely not relevant any more, since NPAPI plugins are deprecated.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•