It's possible to blow away all the browser chrome from content. It has something to do with popups - I hit this repeatedly while working on testcases for bug 326877 and bug 374569, but didn't file it because I had no useful info. I still have no useful info, but dveditz confirmed it: <dveditz> whoa, I'm in a strange state <dveditz> back on your evil page I middle-clicked in the real bank site's tab to close it, and the chrome totally disappeared Filing as a security bug since you could theoretically display anything you want. As far as I can tell, the state of the browser is pretty busted though, so an exploit might be difficult. Steps to reproduce: 1. No clue. Play around with malicious <popup> testcases.

Since G30rgi's playing with popups (bug 394743) maybe he'll run into this too....

this may be related to Bug 373314 – strange transparent areas in firefox caused by xul

Ok, I can reproduce this now (or something like it) on latest-1.8 and latest-trunk. The behavior isn't exactly the same as what I got on Windows, but it's close enough to use this bug. Load http://ctho.ath.cx/tmp/crash.xul javascript:setTimeout(function() { alert("Hi"); }, 500); click the button before the page is replaced with the return value from setTimeout (most likely "2"). "javascript:for (var i=0; i<100000; i++) ; 5" works too, so the alert is irrelevant.

-'ing this as the issue also exists in Fx2.

Can anyone other than CTho reproduce this in recent branch or trunk builds? Maybe I'm missing something in comment 3 (it's clearly not crash.xul alone since earlier fixes safely contain that content in chrome) but I couldn't figure when to inject the javascript that would make any difference. If hiding chrome is still possible this is probably an sg:moderate or sg:high since any site content could be spoofed including any EV cert indicia we come up with.

I couldn't reproduce it on Windows using those steps or anything similar I tried (I even tried older builds from before the content-popups-over-chrome fix in April). Must not be this bug. I filed bug 406680 on the steps in comment 3.

Per conversation with dveditz, we can't reproduce. If we can consistently reproduce this issue, please re-nom.

This should be fixed now that bug 322074 is fixed.

Resolving this as incomplete since it should be fixed and it hasn't been touched in four years.