Closed Bug 558485 Opened 14 years ago Closed 7 years ago

Don't show the page's URL in the status bar for links in the plugin crash sadface placeholder

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking2.0 -, blocking1.9.2 -, status1.9.2 wanted, status1.9.1 unaffected)

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
blocking2.0 --- -
blocking1.9.2 --- -
status1.9.2 --- wanted
status1.9.1 --- unaffected

People

(Reporter: ehsan.akhgari, Unassigned)

References

Details

(Keywords: sec-low, Whiteboard: [lorentz][sg:low spoof])

Attachments

(1 file, 2 obsolete files)

WIP
4.91 KB, patch
Details | Diff | Splinter Review 
Tomer pointed out to me today that for some reason, we show the page's URL in the status bar when hovering on the links inside the plugin crash placeholder.  Considering the fact that the UI is part of the chrome, we shouldn't probably do that.

This _might_ make some spoofing attempts possible, I'm not so sure.  Filing it in the security group for now.
sg:low at worst, not worth keeping private.
Group: core-security
Whiteboard: [lorentz] → [lorentz][sg:low spoof]
Code freeze for 1.9.2.4 is midnight tonight.  We probably can't block the release for this but marking as wanted.
status1.9.1: --- → unaffected
status1.9.2: --- → wanted
Attached patch Patch (v1) (obsolete) — Splinter Review 
Use html:span's instead of html:a's, and style them as links.
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #438564 - Flags: review?(dao)
Comment on attachment 438564 [details] [diff] [review]
Patch (v1)

>-html|a {
>+html|a, .pleaseSubmitLink, .reloadLink {
>   color: white;
>+  text-decoration: underline;
>+}

Are there other 'a' elements that are matched here?
color:white is probably not needed for .pleaseSubmitLink and .reloadLink if they are spans.

>+.pleaseSubmitLink:hover, .reloadLink:hover {
>+  cursor: pointer;

:hover is superfluous
Attached patch Patch (v2) (obsolete) — Splinter Review 
(In reply to comment #4)
> (From update of attachment 438564 [details] [diff] [review])
> >-html|a {
> >+html|a, .pleaseSubmitLink, .reloadLink {
> >   color: white;
> >+  text-decoration: underline;
> >+}
> 
> Are there other 'a' elements that are matched here?
> color:white is probably not needed for .pleaseSubmitLink and .reloadLink if
> they are spans.

For some reason, I thought that this CSS is included elsewhere as well, but I was wrong.

> >+.pleaseSubmitLink:hover, .reloadLink:hover {
> >+  cursor: pointer;
> 
> :hover is superfluous

You're right.  Here's the updated patch.
Attachment #438564 - Attachment is obsolete: true
Attachment #438573 - Flags: review?(dao)
Attachment #438564 - Flags: review?(dao)
Also:

Add role="link" to the 2 new spans.

Remove the "// XXX can we make the link target actually be blank?" from browser.js. The "<!-- link href set at runtime -->" comments can be removed from the XBL too (since it's not longer a confusing <a> without an href).

And in browser.js's addLinkClickCallback(), the "evt.preventDefault();" can be removed (since the purpose was to avoid triggering the actual link).
Comment on attachment 438573 [details] [diff] [review]
Patch (v2)

@namespace html is now unused.

>+.pleaseSubmitLink, .reloadLink {

nit: line break after the comma

Are the links still focusable? Probably not, so r-.
Attachment #438573 - Flags: review?(dao) → review-
Also, I don't really see the spoofing risk...
Attached patch WIPSplinter Review 
This should make the link focusable, but doesn't.
Attachment #438573 - Attachment is obsolete: true
Unassigning from myself.  Someone else can probably get the patch and make it work.
Assignee: ehsan → nobody
Status: ASSIGNED → NEW
blocking1.9.2: ? → -
Not blocking the release on this.
blocking2.0: ? → -
Resolving old bugs which are likely not relevant any more, since NPAPI plugins are deprecated.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: