Closed Bug 60323 Opened 24 years ago Closed 24 years ago

Don't allow JS in Web pages to resize my browser window, by default

Categories

(SeaMonkey :: UI Design, defect, P3)

Product:
SeaMonkey
Component:
UI Design
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED WONTFIX

People

(Reporter: mpt, Assigned: security-bugs)

References

(
URL
)

Details

Build: 

To reproduce:
* Resize your window to something other than the default size.
* Go to <http://home.netscape.com/browsers/6/su_setup.html>.

What happens:
* Your browser window is resized by a JS function in the page.

What was expected:
* How large your browser window is is none of the page's business, so the page
  should not be able to resize the window.
* If a Web page needs a window of a particular size, it should have to open a new
  window.

Here is the offending code:
------
if(screen.height>=625&&screen.width>=800) {
    window.innerWidth=606;
    window.innerHeight=464;
} else {
    window.innerWidth=screen.width-194;
    window.innerHeight=screen.height-176;
}
------

This bug can be fixed by making window.innerWidth and window.innerHeight
read-only.
There are some legitimate uses for resizing the page in JS.  For example,
Java applets can't open windows with anything other than the default size.
So a way to pop up a nice HTML help dialog which doesn't obscure the entire
screen is to open it at default, then resize with JS.
URL: http://home.netscape.com/browsers/6/s...http://home.netscape.com/browsers/6/s...
I've never encoutered such a script before, but it does suck, so I agree with
MPT that this should be forbidden. Besides the fix doesn't look so hard.
Fabian.
I think the issue here is whether JS, or anything else, should be allowed to
resize a window it didn't open. I say no. It's another issue whether JS or java
should be able to open windows at all.
mpt, does this still happen if you turn off JS in your Prefs > Advanced? when i
turn it off, going to that page no longer forces that resizing...
This is really the same issue as allowing JS to open windows.  They can't be
separated, because a "hostile" page could open itself in a new window with any
size it wanted.

Opening windows is critical functionality for many sites, including the one I
work on.  I think the way to deal with this is to have a setting like the Cookie
manager which lets you specify that certain sites can't open windows.

Sairuh, naturally the window doesn't resize if Javascript is disabled, because
it is Javascript which is doing the resizing. But just like bug 50665, I
shouldn't have to surf the Web with Javascript disabled just to avoid this
particular behavior.

Some Javascript behaviors (such as loading images, for example) are either
useful or annoying, depending on the user, so they should be options in the
Scripts category of the prefs dialog. This behavior, however, is *always*
annoying. If the author wants a window of a particular size, they should open a
new window for that purpose. I shouldn't be subjected to anyone changing my
window size without my permission, just so they can (in the example given above)
make the window large enough to show me that they can't spell the word `convenient'.
If you remove the feature, the effect will be to replace each annoying site with
an even more annoying site that opens a new window with the desired size, then
closes the original window.

There should be a single pref that controls whether windows can be opened and
resized.  And, critically, if the pref is disabled, there must be a way to
detect this in Javascript so appropriate actions can be taken (informing the
user that a feature of the site is disabled, for example).

That's assuming that there is a way of closing the previous window in the first 
place, and that shouldn't be possible either. Scripts should be able to do what 
they like with windows they create -- resize them, close them, whatever -- but 
messing with the user's existing window is unacceptable.

It makes sense to offer the *option* to prevent scripts from opening new windows 
-- that's what bug 29346 is for. But resizing or closing the current window 
shouldn't be possible at all, because it is guaranteed to annoy the user.

I agree that webpages should not be able to resize a browser window.  I've 
never seen that feature used constructively, and pages shouldn't assume that 
javascript is enabled and that the screen size allows the page to be resized to 
the size they want.

I don't think window.opened windows should be able to resize themselves 
either.. it makes more sense to set the size in the window.open call.  Bill 
Lipa, about Java applets not being able to specify parameters to window.open, 
is there a way for the Java applet to communicate with JavaScript code on the 
page that could then call window.open with the correct parameters?

window.close() security is discussed in bug 32571 and bug 36050.
OS: Mac System 8.5 → All
Hardware: Macintosh → All
Since Don has left, Vishy is taking his bugs in bulk, pending reassignment.
thanks,
	Vishy
Assignee: don → vishy
I agree that scripts resizing windows is more or less in the same category than
scripts opening windows. Either or both of these things can be disabled in the
prefs, completely or wrt certain sites. There's UI on the way for this. I don't
feel comfortable disabling either one of these by default, as some legitimate
content authors may be counting on those abilities. This would make us less
compatible with some degree of sites out there. If it bothers you, you can turn
it off, but I don't think changing the default is a good idea.

One thing I'd like to do in the upcoming JS privileges dialog, or maybe just on
a webpage, is to offer alternate pref sets which people are likely to want which
can be set with one click, for example, "disable all window.open, all window
resizing, and all JS in mail."

BTW, I'm taking this bug.
Assignee: vishy → mstoltz
Preventing all scripts from resizing windows by default would make us less
compatible with some legitimate sites. I think it would be much better to offer
an easy way for users to disable resizing (and window.open, and so on) on a
per-site basis. There's backend for this, and a frontend is coming soon. Wontfix
on this bug.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
fyi, the frontend aspect is covered in bug 38966. the backend is covered bug
7380 and bug 858...
Adding "per default" to SUMMARY to make clear that the user has the *option* to
disable it, although it is hard to set that option.
Summary: Don't allow JS in Web pages to resize my browser window → Don't allow JS in Web pages to resize my browser window, per default
See also bug 69290, [RFE] ability to block resizing/moving of a window.
Summary: Don't allow JS in Web pages to resize my browser window, per default → Don't allow JS in Web pages to resize my browser window, by default
moot, due to scripts/windows prefs...
Status: RESOLVED → VERIFIED
See also bug 179704 comment 6, where I suggested disallowing scripts from
resizing normal browser windows but allowing scripts to resize pop-up windows
that don't have toolbars.  There might be prefs to change this default setting.

This new suggestion contradicts my comment 9 on this bug, where I said "I don't
think window.opened windows should be able to resize themselves either.. it
makes more sense to set the size in the window.open call."  Making the web less
annoying, keeping compatibility with existing sites, and reducing the number of
visible prefs are all more important than forcing web site code to "make sense".

Mitch, when you wontfixed this bug, you said "Preventing all scripts from
resizing windows by default would make us less compatible with some legitimate
sites."  Do you know if any sites resize normal browser windows in a way that is
more useful than annoying, or have you only seen resize commands used reasonably
in pop-up windows?
I agree that window.opened windows should NOT be able to resize themselves (with
the possible exception of sizeToContent() call); authors should decide on the
popup sizes in the window.open call and then let it go (freedom, latitude to the
user). You cannot satisfy 100% of users regarding size, position, etc... so you
might as well make your best call and leave the rest (control, customization) to
the user.

One other thing stroke me in this bug: window.innerWidth and window.innerHeight
should be readonly values. Resizing a window should only be possible via known
methods (resizeTo(), resizeBy(), sizeToContent()).
Product: Core → Mozilla Application Suite
Blocks: 327310
You need to log in before you can comment on or make changes to this bug.