User-Agent: Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.2b) Gecko/20021014 Build Identifier: Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.2b) Gecko/20021014 Mozilla has some excellent options for handling nasty sites, such as being able to block opens of unrequested windows. However, there are times when a site opens windows that the users wants to see but doesn't want to be held up by. The site opens those windows with window.open .... modal=1 to try to ensure that users sit and wait while the content of the popup is loaded. However, users might not consider this so crucial. It would be good to have a subsidiary option such that if "open unrequested windows" is allowed, the modal setting could be ignored. Reproducible: Always Steps to Reproduce:

should untrusted content even be able to specify "modal"? That seems wrong

it is wrong. make it stop :)

I confirm untrusted content can open a window modal. This is way wrong, and neither Netscape 4.x nor IE allow you to do this. This probably shouldn't be Ben, maybe danm or jag?

Any documented standard anywhere that says "modal=" is a legit option? If so, we should optionally support it.

in nsWindowWatcher.cpp line 1325 a comment in rev 1.2 of that file (close to two years ago) claims //XXX Temporarily removing this check to allow modal dialogs to be //raised from script. A more complete security based fix is needed. Dan?

If there is a standard saying we should crash, should we support it? This is really no different (and no, there is no standard covering window.open(), period).

If there were really no standards about window.open() no one would be able to use it. There may be no formal standards, but both Netscape and Microsoft document it (not to mention hundreds of "learn web programming!" books) and agree on a basic set of options. We are obligated to support that basic set as much as any other standard we support. We are not obligated to support things we invented for our own use e.g. "modal".

Right, that's what I meant - if modal is just a Mozilla thing, we can take it out. If modal is documented, supported by other browsers, and being used on the web (hopefully for good reasons, although I can't think of many), then yes, we should support it, but make it optional (via Preferences) because it could be abused (just like "open unrequested windows"). A standard saying we should crash is kind of silly - crashes are caused by bugs, and are therefore not standardized across implementations, with some exceptions from Redmond.

"modal" was never intended to be exposed to untrusted script. See comment 5 and bug 43390. It's almost flattering that obnoxious website authors have taken special notice.

Hmm... Sounds like nsGlobalWindow::Open() should strip some stuff out of the feature string for non-chrome windows....

Exactly. Except for alerts, prompts and the like opened from content. That's what bug 43390 is all about and that's why it started to get ugly and was punted on two years ago.

But (is this what you were talking about bz?) simpler than fixing the security manager, does it make sense from a security perspective to allow modality for chrome URLs? Johnny? Mitchell? This patch allows prompts thrown from content to be modal because the URL is the dialog chrome URL, while normal window.open("html...") from content is not allowed to be modal. Is it as easy as this? What am I missing? In any case this is probably an improvement.

Actually, what I was talking about is that we could fix this at the level _before_ it gets into the windowwatcher. That is, fix nsGlobalWindow::Open() to strip out the "modal" part from the feature string if the caller is not chrome. prompt/alert/confirm do _not_ go through nsGlobalWindow::Open() and so would be unaffected. That said, I think the proposed solution is cleaner (and certainly simpler)

Comment on attachment 106289 [details] [diff] [review] modality allowed only for windows opened from chrome, and for chrome windows sr=jst

Comment on attachment 106289 [details] [diff] [review] modality allowed only for windows opened from chrome, and for chrome windows r=mstoltz.

Override be damned, untrusted client script should not be able to open modal windows at all. And unless I goofed, can no longer. There is some worry that windows which _should_ be modal (alerts) will be hurt. However the patch has been in the trunk since last Wednesday, Nov 20th. I haven't heard any complaints; seems good.

There's a contradiction here: "modality allowed only for windows opened from chrome, and for chrome windows" "untrusted client script should not be able to open modal windows at all" Which is it? What preference can I add to make content trusted so that it can make modal windows? It's pretty hard to write web based applications if you can't do modal dialogs.

I think the idea is that chrome, which is part of the browser package, is trusted and can open modal dialogs, while anything else (e.g. a web page on the Internet) is untrusted and can't. I'd suggest filing an RFE for a "trusted sites" list containing domains where you want modal dialogs to be allowed on. Note that if you're developing web applications that require modal dialogs, you'll have to require your clients to enable this, since it won't be on by default in Mozilla. If this is for internal use, your IT dept can implement it in their standard image so users don't have to change anything.

mkaply, does requesting UniversalBrowserWrite not work?

bz: Works great. Thanks!

(In reply to comment #20) > bz: Works great. Thanks! > so is there any other way of opening modal windows apart from enabling UniversalBrowserWrite? it seems that there's not. however sites on the internet/lan also can't request this unless they are using signed scripts. so basically I need a 695$ security certificate and I have to bear with updating jar files everytime I modify my script just to show a modal window, is that so?

Asking for help in a bug closed three years ago isn't generally productive. Please see http://www.mozilla.org/support/ for links to technical newsgroups.