Home page logo

bugtraq logo Bugtraq mailing list archives

Re: New possible scam method : forged websites using XUL (Firefox)
From: "Peter J. Holzer" <hjp () wsr ac at>
Date: Tue, 3 Aug 2004 10:11:16 +0200

On 2004-08-02 11:59:17 +0200, Peter J. Holzer wrote:
* add a UI to the "allow javascript only from trusted sites" feature. 
  (few people know that mozilla can do that, and even for those, editing
  user.js is tedious).

More on the lines of "few people know that Mozilla can do that":

Daniel Veditz wrote in

| Or we could just force the location bar to be on using the existing
| pref, but obviously there must be some reluctance to that or it'd be
| done already.

So I started to look for the "existing pref", and sure enough, if you

user_pref("dom.disable_window_open_feature.location", true);

in your prefs.js, the spoof looks much less convincing.
(You can also set this preference via "about:config".)


   _  | Peter J. Holzer      | Shooting the users in the foot is bad. 
|_|_) | Sysadmin WSR / LUGA  | Giving them a gun isn't.
| |   | hjp () wsr ac at        |       -- Gordon Schumacher,
__/   | http://www.hjp.at/   |     mozilla bug #84128

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]