Mozilla no longer supports user_pref("capability.policy.default.Window.open","sameOrigin");

VERIFIED INVALID

Status

()

VERIFIED INVALID
17 years ago
17 years ago

People

(Reporter: craig, Assigned: security-bugs)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3+) Gecko/20010826
BuildID:    2001082606

Mozilla used to recognize this parameter and not bring up popup windows on sites
unless they were originating from the same site. Mozilla no longer adheres to
this and will now pop-up windows not having the same origin as the content.

Reproducible: Always
Steps to Reproduce:
1.Browse a site
2.popup windows appear from ad.doubleclick.net or .x10.com


Actual Results:  popup windows created.

Expected Results:  No popup windows should be created.

Comment 1

17 years ago
WFM
Windows NT build 2001082703
I do not get popup windows.
capabilities -> mstoltz

I think, though I'll let Mitch confirm, that the "sameOrigin" refers to  whose
script issued the window.open() call and not to the URL that's loaded by that
command. If that's the case then it'll "work" on some sites, and not on others
where the window.open is directly on the page you're viewing.
Assignee: sgehani → mstoltz
Component: Preferences → Security: CAPS
QA Contact: sairuh → bsharma
jasonb: if you're not getting *any* popups then you couldn't have set the value
to "sameOrigin" as in the bug report.
(Assignee)

Comment 4

17 years ago
dveditz is correct, sameOrigin refers to the window calling window.open, not the
URL of the window being opened. sameOrigin doesn't work the way you described
and never did. We discussed doing it that way, but there are some good resons
not to (popups can and often do come from the same site as the page).
http://www.mozilla.org/projects/security/components/configPolicy.html describes
exactly what configurable policies can do. If you want to block all popups, use
noAccess instead of sameOrigin. For more selective blocking, I'm trying to get
bug 92955 checked in soon.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → INVALID

Comment 5

17 years ago
Marking verified as per above developer comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.