Created attachment 599561 [details] TESTCASE2.0-document.location geolocalisation.zip User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Build ID: 20120215223356 Steps to reproduce: Like bug 575294 , Firefox 10.0.1 shows the dropdown menu for <select> elements as an always-on-top chromeless window. It also allows arbitrary HTML content to be rendered in the <option> elements within the <select>. with location.href and geolocalisation we can cover a JAVA Applet or a XPI for evil. Actual results: This bug demonstrates than an attacker can cover a JAVA Applet or a XPI for evil. I think this issue is critical.
Is the underlying issue here any different from that in bug 726264?
The method used to trigger the navigation is irrelevant to the floating select issue.