From e879d0303c03114616ac59b23cb3768d9be310d2 Mon Sep 17 00:00:00 2001 From: "dtownsend@oxymoronical.com" Date: Thu, 23 Aug 2007 11:49:02 -0700 Subject: [PATCH] Bug 337344: Disable location bar hiding by default, to make chrome spoofing harder. p=Johnathan Nightingale , r=mconnor --- browser/app/profile/firefox.js | 7 ++++--- browser/components/nsBrowserContentHandler.js | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index 0147721aa4b8..41e2530d9d35 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -305,9 +305,10 @@ pref("javascript.options.showInConsole", false); pref("dom.disable_window_open_feature.status", true); // This is the pref to control the location bar, change this to true to // force this instead of or in addition to the status bar - this makes -// the origin of popup windows more obvious to avoid spoofing but we -// cannot do it by default because it affects UE for web applications. -pref("dom.disable_window_open_feature.location", false); +// the origin of popup windows more obvious to avoid spoofing. We would +// rather not do it by default because it affects UE for web applications, but +// without it there isn't a really good way to prevent chrome spoofing, see bug 337344 +pref("dom.disable_window_open_feature.location", true); pref("dom.disable_window_status_change", true); // allow JS to move and resize existing windows pref("dom.disable_window_move_resize", false); diff --git a/browser/components/nsBrowserContentHandler.js b/browser/components/nsBrowserContentHandler.js index 38c8b36bdcb8..3cc8bea8bbfc 100644 --- a/browser/components/nsBrowserContentHandler.js +++ b/browser/components/nsBrowserContentHandler.js @@ -221,12 +221,12 @@ function getMostRecentBrowserWindow() { var win = wm.getMostRecentWindow("navigator:browser", true); // if we're lucky, this isn't a popup, and we can just return this - if (win && !win.toolbar.visible) { + if (win && win.document.documentElement.getAttribute("chromehidden")) { var windowList = wm.getEnumerator("navigator:browser", true); // this is oldest to newest, so this gets a bit ugly while (windowList.hasMoreElements()) { var nextWin = windowList.getNext(); - if (nextWin.toolbar.visible) + if (!nextWin.document.documentElement.getAttribute("chromehidden")) win = nextWin; } } @@ -236,7 +236,7 @@ function getMostRecentBrowserWindow() { return null; var win = windowList.getNext(); - while (!win.toolbar.visible) { + while (win.document.documentElement.getAttribute("chromehidden")) { if (!windowList.hasMoreElements()) return null;