lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040803081116.GB21160@wsr.ac.at>
Date: Tue, 3 Aug 2004 10:11:16 +0200
From: "Peter J. Holzer" <hjp@....ac.at>
To: bugtraq@...urityfocus.com
Subject: Re: New possible scam method : forged websites using XUL (Firefox)

On 2004-08-02 11:59:17 +0200, Peter J. Holzer wrote:
> * add a UI to the "allow javascript only from trusted sites" feature. 
>   (few people know that mozilla can do that, and even for those, editing
>   user.js is tedious).

More on the lines of "few people know that Mozilla can do that":

Daniel Veditz wrote in
<URL:http://bugzilla.mozilla.org/show_bug.cgi?id=22183#c97>:

| Or we could just force the location bar to be on using the existing
| pref, but obviously there must be some reluctance to that or it'd be
| done already.

So I started to look for the "existing pref", and sure enough, if you
write

user_pref("dom.disable_window_open_feature.location", true);

in your prefs.js, the spoof looks much less convincing.
(You can also set this preference via "about:config".)

	hp

-- 
   _  | Peter J. Holzer      | Shooting the users in the foot is bad. 
|_|_) | Sysadmin WSR / LUGA  | Giving them a gun isn't.
| |   | hjp@....ac.at        |	-- Gordon Schumacher,
__/   | http://www.hjp.at/   |     mozilla bug #84128

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ