User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20130626 Firefox/25.0 (Nightly/Aurora) Build ID: 20130626031100 Steps to reproduce: 1) launch the browser 2) scroll 3) the chrome disappears Actual results: Chrome disappeared. Expected results: Chrome should not have disappeared. This is a known phishing attack vector. Please see https://www.usenix.org/legacy/event/upsec08/tech/full_papers/niu/niu.pdf section 4.2.2 "Address Bar" and 4.3 "Chrome Simplicity". With a simply javascript scrollTo, a fake URL bar can be displayed. A quote from the paper: "Users from all groups, even expert users, who identified the URL as phishing by looking at the URL, failed to notice the fake address bar sliding over the real one very quickly on page load. Average and knowledgeable users who tried to proceed in this stage should have noticed it multiple times, but none did until it was specifically pointed out in the debriefing stage."

Aaron, can you please explain why you marked this as invalid? This is a potential phishing attack on firefox for android users.

Discussions like these should be held on the newsgroups as there is nothing actionable in this bug. I'm willing to let this one slide though.

Mark has the security team reviewed the dynamic toolbar proposal?

(In reply to Kevin Brosnan [:kbrosnan] from comment #3) > Mark has the security team reviewed the dynamic toolbar proposal? Not that I'm aware of. We're looking at similar things with fxos (and probably elsewhere) so I'll talk to the rest of the team and see what we're doing to fix this there. One possible solution to this (admittedly not having thought about it for long) would be to check to see if the scrolling is user initiated before hiding the toolbar. Could that work?

FWIW bug 716403 is still pending sec-review from dveditz. I don't know what the expected timeline is for security reviews but that flag was set over three months ago.

Firefox for Android never showed the URL. Instead, it showed the (untrusted) title of page. You had to click on the titlebar to figure out the URL. So, I am not sure how dynamic toolbar changes things that much. User interaction was required earlier and will be required now (to figure out the current URL). Users who still feel the need for a visible url bar can always change the pref, if I am not wrong. This bug is about what the default pref should be, and I am guessing that for the vast majority of users, a phishing page would succeed even with old behavior (i.e., without dynamic URL bar). In particular, while it was possible to click on the bar to figure out the correct URL, I imagine very few users did. Users concerned with the new behavior can always flip the pref back. In any case, if checking URLs and making them visible protects against phishing, then we wouldn't have so many incidents of phishing on desktop browsers. I would hazard a guess that users who get phished aren't protected by a visible URL. There are also lots of attacks possible when a user looks at the URL. That's why I think the key defense against phishing has to be the SafeBrowsing blocklist, which Firefox for Android already supports. On the other hand, hiding the URL bar gives the main webpage valuable real estate.

removing sec-revew as there's already one tracking this in bug 716403.

Per comment 7. The sec-review was already completed a while back.