Full Disclosure mailing list archives
Re: Firespoofing [Firefox 1.0]
From: Andrew Clover <and-bugtraq () doxdesk com>
Date: Tue, 11 Jan 2005 18:29:56 +0100
James Greenhalgh <james.greenhalgh () worldpay com> wrote:
It also doesn't work on non-Windows or with non-default colours.
Didn't work for Windows with default colours for me either; the real dialogue box jumped to the front. I am still on a nightly just before the 1.0 release though, and I believe it to be possible in theory. It could also, I think, be made to work without the 'browsing full screen' requirement.
Really - this is more a window management thing surely? If someone fell for this, they'd deserve it to be honest.
It's window management, yeah, probably applicable to other browsers too, and not nearly as bad as the IE chromeless window stuff because you do get those extra couple of pixels of window edge to clue you in. But it's still not good.
The real solution is to force toolbar+menubar+addrtessbar on for all JavaScript pop-ups, at least as a default option setting. This would also fix the recently publicised problem with targeting other sites' pop-up windows for phishing.
-- Andrew Clover mailto:and () doxdesk com http://www.doxdesk.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Firespoofing [Firefox 1.0] mikx (Jan 10)
- Re: Firespoofing [Firefox 1.0] Pavel Kankovsky (Jan 11)
- <Possible follow-ups>
- RE: Firespoofing [Firefox 1.0] Soderland, Craig (Jan 11)
- Re: Firespoofing [Firefox 1.0] James Greenhalgh (Jan 11)
- Re: Firespoofing [Firefox 1.0] Andrew Clover (Jan 11)
- Re: Firespoofing [Firefox 1.0] James Greenhalgh (Jan 11)