Closed Bug 255388 Opened 20 years ago Closed 20 years ago

window can be resized to hide statusbar or other ui components

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dragon, Assigned: bugzilla)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040811 Firefox/0.9.1+
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040811 Firefox/0.9.1+

A window or popup can be resized so that important parts of the
browser-interface can be hidden. For example a site could resize my main browser
window to hide the tab bar or launch a popup that is so small that the statusbar
is not visible any more. This basically blocks Bug 252811 and Bug 245406,
because although the statusbar cannot be hidden by default anymore, it can not
be seen if the popup has a very small size. Even if you do not allow scripts to
move or resize existing windows, a script could still open such a small popup
via window.open.

Example (with and without ssl):
 http://www.dragosan.net/test/mozilla/odd_resize/
 https://ssl.webpack.de/dragosan.net/test/mozilla/odd_resize/

Reproducible: Always
Steps to Reproduce:
Summary: window can be resized in such a way that the statusbar or other ui components can be hidden → window can be resized to hide statusbar or other ui components
Related bugs:

Bug 84754   Malicious javascript can be used to hide a window and pop up ads, etc.
Bug 104303  script can make a window larger than the screen (Linux)
Bug 118717  Never let sites position windows outside the screen
Bug 161903  [RFE] Add pref for ignoring window size options on window.open()
Bug 176320  Minimal innerWidth/innerHeight values for popup windows
Bug 239876  combined specification of one inner and one outer dimension of a popUp 
            window is not honored

This looks like dupe of Bug 118717.
Blocks: 245406, 252811
OS: Windows 98 → All
Hardware: PC → All
Version: unspecified → 1.0 Branch

*** This bug has been marked as a duplicate of 118717 ***
No longer blocks: 245406, 252811
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Would someone please explain why this bug should be a duplicate of 118717.
The former is already fixed since Moz 1.7 and is about positioning windows
outside the screen. Whereas this bug is about resizing windows in Firefox to
small sizes for example to hide the statusbar, ignoring the pref that should
restrict that (see 252811). The statusbar is still there, but not visible in the
window, as it should. You can do the same to hide the tab bar, which can be very
annoying, and you could even use it to open hidden windows in new tabs, too, if
someone has set all links to open in tabs instead of windows via an extension.
Perhaps I missed something, however AFAIK that this bug is not fixed, which is
implied by marking it a duplicate of a fixed bug, so the bug should be reopened.
Blocks: 245406, 252811
Status: VERIFIED → UNCONFIRMED
Resolution: DUPLICATE → ---
This bug is critical. One can use this bug for "phishing" purposes !
One can just resize FireFox main window to hide its statusbar. He then can also
draw a fake statusbar at the bottom of the main window. He can then force you to
download and execute anything (the fake statusbar can display wrong information
about the link; users will blindly click on this link).
Flags: blocking-aviary1.0?
resizing the main window leaves the toolbars untouched (1.0PR) but the pop-up
indeed hide his stuff. Making it large wil show the status bar, but nog the menu
bar.

At least the location bar should be visible in pop-ups... (i noticed this
already in 0.9.3 there the tabbed bar is hidden...)
Hrnm, I definitely think we should do something about this. XUL gurus, is there
any way to get the statusbar to be the "anchor", so that if the window is too
small, the main content disappears, instead of the status bar?
Status: UNCONFIRMED → NEW
Ever confirmed: true
If dom.disable_window_open_feature.status is true the statusbarheight should be
fixed preventing spoofing/phishing

if dom.disable_window_open_feature.status is false the statusbarheight can be
left the way it is now. (users responsibility)
> is there any way to get the statusbar to be the "anchor"

Not that I'm aware (though perhaps there should be).

The problem is that iframes have a height of 150 by default. Setting min-height:
1 in xul.css should allow the browser frame to shrink, but there might be other
issues.
Blocks: 262366
*** Bug 264335 has been marked as a duplicate of this bug. ***
If I open two tabs in a small window (thus with hidden statusbar), load a page
such as mozilla.org into the first tab and close the first tab, the status bar
and horizontal scroll bar appear. After this, whatever the size of the window,
the components do not disappear again (unless there is no room for them).
Could the fix in 217477 (not checked into aviary) also help here? Seems to have
helped for suite, that also had this bug.
Flags: blocking-aviary1.0? → blocking-aviary1.0-
It's the browsers responsibility to avoid webpages to mimic parts of the
interface that could be harmfull. This now involves a lot of reports here but
also on security-related websites.

I'd say the menu, toolbar and addressbar must never be hidden. Bookmarks and
tabs are harmless I suppose.

*********
More important, why not use the addressbar instead of the
statusbar/informationbar for notices. In the same way it is now used to signal
that a website is secure, by changing the backgroundcolor and displaying an icon
on the right side of the addressbar.

For example the popup-blocker could make it turn red with the crossed-box icon,
extension related stuff could make it green with the puzzle icon etc.
*********

This way the statusbar can also be harmless to be hidden and there would be no
need for the information bar (also see bug #252257).

The user can depend on the information being displayed and available in a
consistent/reliable way.

There could be extra information under the icon's tooltip and this could popup
for a couple of seconds when an event takes place.

---------
Lots of stuff could be added this way, also by cleverly stacking these statuses
in such way that the most relevant is shown at a time.

For instance the popup blocker could be top-most but dissappear after a while,
so could the 'extension installation'. Meanwhile the secure/insecure icon could
be show as a smaller, secondary icon and then after a while swap then so the
other notice remains visible.


..sorry for the long comment..
The bug seems to have been fixed by now.

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050414 Firefox/1.0.3
Status: NEW → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
correction resolution --> wfm
Status: REOPENED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → WORKSFORME
This was serendipitously fixed by the checkin for bug 217477.
On the branches it was not serendipitous, we explicitly applied that patch to
fix bug 284551 (which is a dupe of this one -- sorry I didn't notice when I was
cc'd. I'm cc'd on a lot of bugs).
You need to log in before you can comment on or make changes to this bug.