xul popups make firefox always on focus and unkillable from X on linux. it is impossible to leave the page or access the menus. on macosx switching to other applications is possible though nothing in firefox is usable and it is difficult but possible to kill firefox. for 2.0: <popup id="pan1" onpopuphidden="this.showPopup(null,0,0,0,0);alert(2)"> for trunk the alert is not necessary: <panel id="pan1" onpopuphidden="this.openPopupAtScreen(0,0);"> macosx trunk seems safe.

Dupe of bug 326877? (See also bug 374569).

This does look similar to my fake-bsod testcase there. I thought that was fixed on trunk though?

(In reply to comment #2) > Dupe of bug 326877? don't think so. the problem in this bug is that the graphical interface is unusable on linux - the only solution i found is CTL-ALT-F1 login in console killall firefox-bin on macosx and firefox 2.0 graphical interfaces is usable, but firefox interface is unusable and closing firefox is hard. >(See also bug 374569). can't see it - access denied

I misread the testcase. Now that I actually tried it and then read the code again, this is not a duplicate any bugs I've seen.

Yes, this and bug 392580 are caused by the linux-only 'keyboard grab' which retargets all keyboard events while a popup is open to the application.

branch on macosx is somewhat affected - closing firefox is hard.

(In reply to comment #6) > Yes, this and bug 392580 are caused by the linux-only 'keyboard grab' which > retargets all keyboard events while a popup is open to the application. > i doubt it is only *keyboard* events - mouse is useless in this testcase events are definitely involved.

Seems like a more open discussion would be better than what we're gaining by having this remain hidden. Neil - would you be willing to open this up? I haven't looked at the test case closely, perhaps it isn't even relevant any more since we disabled XUL in content?

The keyboard grab was removed by bug 545429, so it shouldn't be as much of an issue. Testing shows that it is possible to close the panel with alt+tab, although for some reason, it needs to be pressed a few times. karlt would be a better person to ask.

Karl - thoughts on comments 9/10?

I expect the DOS vulnerability is resolved since XUL content is limited to chrome, unless there is some other way for web content to open popups? (I don't see any need to support this kind of use of XUL in chrome.)

Opening this up. There might be minor risk on the 3.6 branch but that seems quite low and it will be unsupported very soon anyway. Resolving invalid because we don't allow XUL in content any more and even if we did the issue seems mitigated.