Closed Bug 60323 Opened 24 years ago Closed 24 years ago

Don't allow JS in Web pages to resize my browser window, by default

Categories

(SeaMonkey :: UI Design, defect, P3)

Product:
SeaMonkey
Component:
UI Design
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED WONTFIX

People

(Reporter: mpt, Assigned: security-bugs)

References

(
URL
)

Details

Build: To reproduce: * Resize your window to something other than the default size. * Go to <http://home.netscape.com/browsers/6/su_setup.html>. What happens: * Your browser window is resized by a JS function in the page. What was expected: * How large your browser window is is none of the page's business, so the page should not be able to resize the window. * If a Web page needs a window of a particular size, it should have to open a new window. Here is the offending code: ------ if(screen.height>=625&&screen.width>=800) { window.innerWidth=606; window.innerHeight=464; } else { window.innerWidth=screen.width-194; window.innerHeight=screen.height-176; } ------ This bug can be fixed by making window.innerWidth and window.innerHeight read-only.
There are some legitimate uses for resizing the page in JS. For example, Java applets can't open windows with anything other than the default size. So a way to pop up a nice HTML help dialog which doesn't obscure the entire screen is to open it at default, then resize with JS.
URL: http://home.netscape.com/browsers/6/s...http://home.netscape.com/browsers/6/s...
I've never encoutered such a script before, but it does suck, so I agree with MPT that this should be forbidden. Besides the fix doesn't look so hard. Fabian.
I think the issue here is whether JS, or anything else, should be allowed to resize a window it didn't open. I say no. It's another issue whether JS or java should be able to open windows at all.
mpt, does this still happen if you turn off JS in your Prefs > Advanced? when i turn it off, going to that page no longer forces that resizing...
This is really the same issue as allowing JS to open windows. They can't be separated, because a "hostile" page could open itself in a new window with any size it wanted. Opening windows is critical functionality for many sites, including the one I work on. I think the way to deal with this is to have a setting like the Cookie manager which lets you specify that certain sites can't open windows.
Sairuh, naturally the window doesn't resize if Javascript is disabled, because it is Javascript which is doing the resizing. But just like bug 50665, I shouldn't have to surf the Web with Javascript disabled just to avoid this particular behavior. Some Javascript behaviors (such as loading images, for example) are either useful or annoying, depending on the user, so they should be options in the Scripts category of the prefs dialog. This behavior, however, is *always* annoying. If the author wants a window of a particular size, they should open a new window for that purpose. I shouldn't be subjected to anyone changing my window size without my permission, just so they can (in the example given above) make the window large enough to show me that they can't spell the word `convenient'.
If you remove the feature, the effect will be to replace each annoying site with an even more annoying site that opens a new window with the desired size, then closes the original window. There should be a single pref that controls whether windows can be opened and resized. And, critically, if the pref is disabled, there must be a way to detect this in Javascript so appropriate actions can be taken (informing the user that a feature of the site is disabled, for example).
That's assuming that there is a way of closing the previous window in the first place, and that shouldn't be possible either. Scripts should be able to do what they like with windows they create -- resize them, close them, whatever -- but messing with the user's existing window is unacceptable. It makes sense to offer the *option* to prevent scripts from opening new windows -- that's what bug 29346 is for. But resizing or closing the current window shouldn't be possible at all, because it is guaranteed to annoy the user.
I agree that webpages should not be able to resize a browser window. I've never seen that feature used constructively, and pages shouldn't assume that javascript is enabled and that the screen size allows the page to be resized to the size they want. I don't think window.opened windows should be able to resize themselves either.. it makes more sense to set the size in the window.open call. Bill Lipa, about Java applets not being able to specify parameters to window.open, is there a way for the Java applet to communicate with JavaScript code on the page that could then call window.open with the correct parameters? window.close() security is discussed in bug 32571 and bug 36050.
OS: Mac System 8.5 → All
Hardware: Macintosh → All
Since Don has left, Vishy is taking his bugs in bulk, pending reassignment. thanks, Vishy
Assignee: don → vishy
I agree that scripts resizing windows is more or less in the same category than scripts opening windows. Either or both of these things can be disabled in the prefs, completely or wrt certain sites. There's UI on the way for this. I don't feel comfortable disabling either one of these by default, as some legitimate content authors may be counting on those abilities. This would make us less compatible with some degree of sites out there. If it bothers you, you can turn it off, but I don't think changing the default is a good idea. One thing I'd like to do in the upcoming JS privileges dialog, or maybe just on a webpage, is to offer alternate pref sets which people are likely to want which can be set with one click, for example, "disable all window.open, all window resizing, and all JS in mail." BTW, I'm taking this bug.
Assignee: vishy → mstoltz
Preventing all scripts from resizing windows by default would make us less compatible with some legitimate sites. I think it would be much better to offer an easy way for users to disable resizing (and window.open, and so on) on a per-site basis. There's backend for this, and a frontend is coming soon. Wontfix on this bug.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
fyi, the frontend aspect is covered in bug 38966. the backend is covered bug 7380 and bug 858...
Adding "per default" to SUMMARY to make clear that the user has the *option* to disable it, although it is hard to set that option.
Summary: Don't allow JS in Web pages to resize my browser window → Don't allow JS in Web pages to resize my browser window, per default
See also bug 69290, [RFE] ability to block resizing/moving of a window.
Summary: Don't allow JS in Web pages to resize my browser window, per default → Don't allow JS in Web pages to resize my browser window, by default
moot, due to scripts/windows prefs...
Status: RESOLVED → VERIFIED
See also bug 179704 comment 6, where I suggested disallowing scripts from resizing normal browser windows but allowing scripts to resize pop-up windows that don't have toolbars. There might be prefs to change this default setting. This new suggestion contradicts my comment 9 on this bug, where I said "I don't think window.opened windows should be able to resize themselves either.. it makes more sense to set the size in the window.open call." Making the web less annoying, keeping compatibility with existing sites, and reducing the number of visible prefs are all more important than forcing web site code to "make sense". Mitch, when you wontfixed this bug, you said "Preventing all scripts from resizing windows by default would make us less compatible with some legitimate sites." Do you know if any sites resize normal browser windows in a way that is more useful than annoying, or have you only seen resize commands used reasonably in pop-up windows?
I agree that window.opened windows should NOT be able to resize themselves (with the possible exception of sizeToContent() call); authors should decide on the popup sizes in the window.open call and then let it go (freedom, latitude to the user). You cannot satisfy 100% of users regarding size, position, etc... so you might as well make your best call and leave the rest (control, customization) to the user. One other thing stroke me in this bug: window.innerWidth and window.innerHeight should be readonly values. Resizing a window should only be possible via known methods (resizeTo(), resizeBy(), sizeToContent()).
Product: Core → Mozilla Application Suite
Blocks: 327310
You need to log in before you can comment on or make changes to this bug.