| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: and-bugtraq at doxdesk.com (Andrew Clover) Subject: Firespoofing [Firefox 1.0] James Greenhalgh <james.greenhalgh@...ldpay.com> wrote: > It also doesn't work on non-Windows or with non-default colours. Didn't work for Windows with default colours for me either; the real dialogue box jumped to the front. I am still on a nightly just before the 1.0 release though, and I believe it to be possible in theory. It could also, I think, be made to work without the 'browsing full screen' requirement. > Really - this is more a window management thing surely? If someone fell > for this, they'd deserve it to be honest. It's window management, yeah, probably applicable to other browsers too, and not nearly as bad as the IE chromeless window stuff because you do get those extra couple of pixels of window edge to clue you in. But it's still not good. The real solution is to force toolbar+menubar+addrtessbar on for all JavaScript pop-ups, at least as a default option setting. This would also fix the recently publicised problem with targeting other sites' pop-up windows for phishing. -- Andrew Clover mailto:and@...desk.com http://www.doxdesk.com/
Powered by blists - more mailing lists