[35944] in bugtraq
Re: New possible scam method : forged websites using XUL (Firefox)
daemon@ATHENA.MIT.EDU (Peter J. Holzer)
Tue Aug 3 14:04:44 2004
Date: Tue, 3 Aug 2004 10:11:16 +0200
From: "Peter J. Holzer" <hjp@wsr.ac.at>
To: bugtraq@securityfocus.com
Message-ID: <20040803081116.GB21160@wsr.ac.at>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="hQiwHBbRI9kgIhsi"
Content-Disposition: inline
In-Reply-To: <20040802095917.GB1742@wsr.ac.at>
--hQiwHBbRI9kgIhsi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2004-08-02 11:59:17 +0200, Peter J. Holzer wrote:
> * add a UI to the "allow javascript only from trusted sites" feature.=20
> (few people know that mozilla can do that, and even for those, editing
> user.js is tedious).
More on the lines of "few people know that Mozilla can do that":
Daniel Veditz wrote in
<URL:http://bugzilla.mozilla.org/show_bug.cgi?id=3D22183#c97>:
| Or we could just force the location bar to be on using the existing
| pref, but obviously there must be some reluctance to that or it'd be
| done already.
So I started to look for the "existing pref", and sure enough, if you
write
user_pref("dom.disable_window_open_feature.location", true);
in your prefs.js, the spoof looks much less convincing.
(You can also set this preference via "about:config".)
hp
--=20
_ | Peter J. Holzer | Shooting the users in the foot is bad.=20
|_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't.
| | | hjp@wsr.ac.at | -- Gordon Schumacher,
__/ | http://www.hjp.at/ | mozilla bug #84128
--hQiwHBbRI9kgIhsi
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQDQAwUBQQ9IpFLjemazOuKpAQFr5AXUCfAgCWZ8EPFWDA07jpZzS3aZLMhLemON
nktJn9gmRFFCztkTT5J9nVKZS9lfPHgcQeUF7XvmkwrzoOWUEoDJKuZm4DZz5sI8
uf3yPK/ZCKgTMeYCxF7yn90pI/xem9Sl8C3M8Bld2FW/LAkuEQUbvC3fxK7EV/Vw
Fu5fzq9/1Gv+i5xvuCPVOD+D/nrNeyA5UBUwJD9ZstO1pIVw6rf6glY+g3lDBCr7
0zMTLuFNV8k2kYP40c2VhDw/GA==
=dH2Q
-----END PGP SIGNATURE-----
--hQiwHBbRI9kgIhsi--
