Slashdot Mirror
Major Browsers Have JS Pop-Up Flaw
An anonymous reader writes "Secunia is warning that several popular browsers contain a vulnerability that could allow a phishing attack. 'The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open -- for example, a prompt dialog box -- which appears to be from a trusted site,' Secunia said. The browsers include the latest versions of IE, IE for Mac, Safari, iCab, Mozilla, Mozilla Firefox and Camino. Opera 7 and 8 are also affected but not 8.01."
Boy well, you just pop right up there, doncha!
Here. Enjoy.
of course popup boxes don't show their origin, they usually mask the url and toolbar as well.
Isn't this a dupe from half a year ago?
Too bad if it's just a symptom of the problem(s) just not being fixed yet...
"Good news, everyone!"
How long takes to fix the free browsers...
This is only a 'security flaw' in the same way that those banner ads that look like warning dialogs are...
Opera 8.01 was released June 18th.... (only a few days ago)
//tin-foil hat engaged
It is the only browser not affected....
And now this leaked out where reports can only say that one browser does not suffer from this issue.
Everybody hates popups!
Thank god I use Contiki!
The coolest voice ever.
...and they're not going to release a patch for it.
;)
And you *know* that if Microsoft says it's not a flaw, well, then, it mustn't be a flaw.
libertarianswag.com
Click "OK" to initiate virus scan!
Is this a breathtaking revalation to anyone here?
Ever get rooked into going to a website with perpetual Javascript pompts? I love those.
The only way out of them is to kill your browser process outright.
This is a prime opportunity for mozilla developers to do a slight tweak to the prompts. a "kill all javscript for the rest of this session" button, etc.
It seems to have been forgotten, or deferred.
This has been the way browsers have worked since the dawn of the net. How about designing browsers so that scripts run without acess to the whole hard drive and system calls, oh wait then Microsoft would have to use the evil Java system and not Active X.
That'll solve the problem
Excuse me?
What do you mean Java Scripting is a feature?
[Fuck Beta]
o0t!
People should stop developing with JavaScript. How many of us have it disabled in our browsers? It's nothing but trouble.
...then perhaps the flaw is in the user.
Very few sites, if any, will use JavaScript/child windows to request details. While I agree that some people are unaware of that, they probably ought to stay away from malicious sites to begin with.
My Linux - (L)ove (I)s (N)ever (U)tterly eXPensive
Ooh - isn't Opera one of those web browser thingies? :-)
Any fool can talk, but it takes a wise man to listen.
But I thought that the super-advanced OS and Objective-C programming paradigm of the Macintosh prevented any and all security problems!
Best Buy can have you arrested
That's why I use NoScript with my Firefox.
m$ is right, it's not a flaw to them. it's a "feature"
The only way to get rid of a temptation is to yield to it.
-Oscar Wilde
Seriously... who still uses this browser? I didn't even know it was still in development.
Javascript popups have been around for a long time, exactly why is this news *now*? This behavior is entirely expected, at least by web developers at any rate... hardly some "new" discovery.
odd... sure mozilla doesnt display "the site origin" but when ive used mozilla on some less than admirable sites, in x, it displayed [ Java Script ] in the title bar of the newly opened window.
anyone with half a clue wouldnt enter in personal information in that? no?
to type inportant information into a popup they got whilst browsing some porn site or something.
sudo killall humans
To solve this problem, javascript multitasking must be disabled, only letting the current active window or tab having keyboard focus to run its javascript. Other tabs' scripts must not be disabled, but instead paused until they in turn receive focus.
It's a plot to trick us all...
... tinfoil hats for everyone!!
* insert stark raving mad rant including browsers, the software industry, the governement, the white house, UFO's, Mulder & Scully, cover-ups and Bill Gates' most darkest secret (you know which: the one about his hair planning to run off to Cleveland with the toupet from next door) *
* ducks *
It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.
It corresponds to say.. running a browser, a spreadheet and say a game at same time and then getting a dialog box that is not identifiable saying "Do you want to save?".
Different problems of this sort will only raise as more and more applications are run as web based. Today it is popups that are not identified, tomorrow something else.
Konqueror 3.2.1 here is affected.
My front door has a major flaw, in that con artist can walk up to it and claim they are from and officially federal agency and have an urgent need for me to help them.
Doors from major outlets, including those of Lowe's and Home Depot, are affected by this flaw. Our investigations have determined that this flaw has been known for years, yet the major distributors have not plans to release an update to correct the problem.
US Senator, C. Ritter has introduce legislation under the title "Omnibus Weak Nutz United", the OWN-U bill, that seeks to station a security agent to watch over every door in the case the occupants cannot determine that they are being conned.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Yes, it is. (a leat version 3.4.0)
You mean PhP - phirst post.
You really think most people end up on malicious sites intentionally?
TOOLS -> OPTIONS -> WEB FEATURES -> ADVANCED
check or uncheck as needed
I am sure someone can post the direct about:config settings as well...
"While I agree that some people are unaware of that, they probably ought to stay away from malicious sites to begin with." Because we all know the users can tell the difference between the real thing and the malicious site, unless of course your method of staying away has them disconnecting their internet connection.
Who knows if Konquerer is affected? Who cares? It's not like this is some new vicious security flaw that lets people install trojans or viruses... it's normal, existing behavior that some paranoid person decided was bad.
Sounds like the people over at Opera decided "you know, popups don't typically tell the user where they originated... lets change Opera so it does, then blast all the other browsers for the "newly" discovered security risk!" Sounds fishy...
Nothing new here... just attention.
You are forgetting that the normal way in which browsers have presented HTTP authentication for years is in a popup window. I'd expect many people to have logged into legitimate sites with what appears to be a popup to them.
What's a "malicious site"? There have been worms and viruses that insert malicious code into whatever HTML they can access. Suddenly, the definition of "malicious site" includes the website of every organisation that is susceptible to worms and viruses.
man, thank god i am still using lynx.... I was worried when they said major.
Actually, this attack doensn't work "well" with Firefox on Mac, which uses sheets to display JavaScript dialog (alert, promt, confirm). By tying the dialog to the window, it becomes visually obvious which window the pop-up belongs to.
Now why doesn't Safari use this? Seems strange Apple wouldn't use their own UI convention.
I agree that this is an issue, but saying this is a vulnerability in the browser seems a little odd. It feels a little like saying that your email program displaying phishing emails is a vulnerability in the email program. I'm not saying that this isn't something that could be addressed by a change to the browsers, but the headline (and TFA) make it sound like the code in the browsers is faulty.
If Secunia is reporting it, why not link directly to Secunia?
n _vulnerability_test
http://secunia.com/multiple_browsers_dialog_origi
I've never understood the reason to link to ZDnet first. Especially when we are all a technical crowd and can deduce the severity on our own.
In my own opinion, the security community has been really scrambling to find exploits and vulnerabilities since the release of Windows XP SP2, which, despite a lot of compatibility issues with common software, has been very effective in slowing down the growth of zombie networks. In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.
This is a phising technique that can be used to get a username/password from like a credit card or bank website, but that's about it. You'd be hard pressed to get this to compromise a local machine, although I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page. There was a similar exploit that used this delayed tactic last year that Microsoft didn't fix for probably 3 months. It was a 0-day exploit too, it was found in the wild, spreading via IRC, before anyone reported the vulnerability.
This is exactly why I disable Java and Javascript in whichever browser I use. Once I did that I have had alomost NO problems.
I happen to use Firefox with a nice little plugin called "NoScript" which allows controlled enabling of Javascript for those few times I "have" to have it because the site won't function correctly without it.
(1) elinks
(2) lynx
And all this time I thought JS Popups were a flaw all by themselves.
Find coupons in Greeley
Open about:config . You'll probably have to type that, Mozilla won't follow it from an http: URL.
Key in dom.disable_window_open_feature as a filter.
Change the value for location to true. In Firefox, just double-click the false and it will toggle. Mozilla you need to edit it and actually type in all four letters of true. (But I'm happier with the Mozilla suite at the office, so I live with it.)
Change any other values to true that you feel like; I'd be inclined to do status, resizable, close and menubar at a minimum.
Now the location will be visible in any pop-up window.
So the very first thing the Moz group should do is default some of this stuff to true instead of pander to controlling webmasters who want to take over the user's computer. I mean false.
It cracks me up, because they probably have an obsessive/compulsive, socially-maligned programmer within Secunia that just delights spending 16 hours a day trying to twist the browsers into doing what he wants. And then Secunia announces these flaws to save their reputation because nothing else is going on.
I'm sure you are absolutely right. And hopefully he'll keep doing it because you there are crackers, phishers, and criminals out there who delight in spending 16 hours a day trying to twist browsers into doing what they wants. If Secunia is a bit obsessive in their red team activities against computers, then we can hope that they uncover exploits (and motivate patching or disabling of exploitable features) before they appear in the wild.
I, for one, welcome information on what computer software and features can or cannot be trusted.
Two wrongs don't make a right, but three lefts do.
I would like to see an option to allow Javascript to be enabled on a site-by-site basis (default mode would be javascript disabled, allow the user to enable javascript for a list of 'trusted sites' ).
this "vulnerability" is like saying a banking company has a security vulnerability because some peon is pretending to be the CEO
mod +1 next story please
It may be possible for JavaScript to help evil-doers but it's up to the implementer of the Application using the engine to avoid that, not the language or its core developers. If every invention that could potentially be used for evil was struck down there would be nothing left. JavaScript can do plenty of good and the developers of the open source engines have gone out of their way to make it well documented, embeddable and extensible so you can add it to almost anything that needs a little help with a language parser. In fact, I myself have recently added JavaScript to the Asterisk PBX system to drive IVR and it works quite well without much concern for exploits. RES_JS for Asterisk: http://www.cluecon.com/res_js.html
It's interesting to see that *all* browsers are vulnerable to it... each making the same mistakes as the other.
...but I'm still not going to buy your browser.
Mods: Do you disagree with me? Go ahead and mod me down. Meta-mods will sort it out. Good luck!
My share broker's site used to use a Javascript popup for login, then resize the Window you'd opened it from to suit their page. It didn't work properly with the default security settings in Firefox, so I persistently complained about it until they provided an alternative login mechanism without any popups or resizing. The old login method is still there in the form of a big Login button on the left side of their front page, though why anyone would use it instead of the Username and Password boxes in the top right, I don't know.
yeah, nobody uses javascript popups for logins
On another note, when will sites stop relying on freaking popup windows. Besided being blocked by many normal people, they are a real pain and always seem to have bugs associated with them. If you can't design your website to a full browser window, you shouldn't be designing websites!
-- these are only opinions and they might not be mine.
What's a popup? I haven't seen a single browser popup in at least 3 years now with any of my browsers.
Netscape Communicator 4.x had this handy shortcut to toggle the status bar on ANY browser window, including pop-ups. I am still anxiously awaiting for whenever this feature will "return" to Netscape / Mozilla / Firefox.
"several popular browsers contain a vulnerability that could allow a phishing attack."
For IE this is by *design*.
Who else would present a Javascript warning-box (if so configured), so I can deny it's execution, *without* supplying the origin of that script, and even before IE's caption-bar shows the (most likely) source of it ?
Please, do not spread FUD : this isn't a vulnerability, this is a *feature*.
"Major Browsers Have JS Pop-Up Flaw"
..... They implement it! ;)
They sure do!
[alk]
I've gotta admit, these GNAA "articles" are actually starting to be funny.
I hate grammar Nazi's.
Yeah! How could anyone be that stupid? I mean we're all taught from the moment we're born that it's not safe to login to something via a popup window. Even my grandma could tell you that.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
I tried it out on Konqueror 3.4.0 and it is also affected. The only minor change is a blank popup window opening together with the javascript query.
Hack your mind out of its sandbox.
Cookies are evil! And should be disabled!
A dialog box is 'owned' and drops down modally on top of the window that 'owns' it.
A new window is a new window and opens below (if there's room) and to the right (if there's room) of the requesting object window regardless of the amount of gadgetry on it (like title bars, buttons, window styles.)
Its always possible to fool somebody and they'll possibly be fooled into revealing their personal data, but eventually the problem will take care of itself hen these people and bust-ass broke and smothered in spam.
There's only so much people can do with a stateless environment. This would be a problem regardless of the language used (both computing & human), the browser used or the platform used (both hardware & software.)
At some point, people will realize this and stop trying to do the impossible.
Transactions are 'transactions'. That means that they have a 'commit point,' which means that they need a state engine which runs from the beginning of the process to the end of the process.
And yes, it CAN be done over the internet over a secure connection. But the control has to shift to the transaction machine while the transaction is going on. Neither you or anyone else should never be able to spawn a new GUI window while the transaction is happening.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I keep clicking the "OK" in your message, yet no virus scan has started. Do you have an .exe I can run instead?
...a problem was discovered and Opera got it fixed quickly. So now you're complaining? :-)
Coder's Stone: The programming language quick ref for iPad
These security flaws do not seem to affect Lynx as often. I rarely have a new terminal "pop-up" while browsing with Lynx.
One ring to bind them - should probably have more fiber and less rings in their diet.
he problem is that JavaScript dialog boxes do not display or include their origin,
I can assure you that even if they did contain their origin, it would still not make much of a difference--most users wouldn't bother to look.
Maybe what we need is a secure web standard, something that runs only over https, uses strict XHTML, dispenses with JavaScript, pop-ups, frames, and popups, and is used for banking and similar applications. Preferably, that should be a separate browser.
Just followed your link - what a superb plugin. I need Javascript for a Web application but hate it on most sites.
Thanks for posting the link!
1000s Warcraft Gold while you sleep
Lordy...
This one is kind of funny with the "Apple hit WTC" thing, kind of like the new Nazi reference (for which, we'll have to have some kind of Godwin's law). There was one awhile back with "six barrels of nigger cock fury", which is definately worthy of some kind of pr0n movie title.
For all the angst and turmoil, there's some pretty creative 14 yro kids out there...
I get phishing attacks using techniques similar to this all the time. Being somewhat of a security guy, I always click the link and take a look at the techniques that particular phish is using. Lately, a lot of them have spoofed address bars (using javascript) that try to cover up the real address bar with something like "https://paypal.com/login.html". The interesting thing is that Firefox doesn't display the spoofed bar at all. It usually doesn't look very good in IE, since it uses absolute coordinates to position the spoofed bar, and if you have any extra toolbars, it won't show up in the right spot.
Yet another reason to disable Javascript. Only enable it manually for sites that require it. For a long time I did not understand what all the fuss over popups was about. I didn't see any.
Now, wait a minute. Isn't this just sensationalism? To me, a vulnerability is an buffer overflow, or something real. This is just generally bad design. Essentially, they are saying a window that doesn't show where it is from is a vulnerability in browser software? In that case, nearly every windowing system (Windows, X, Aqua, etc) have this 'vulnerability'. It's not hard to pop up a window that on the surface appears to be part of another app.
So again, explain to me how this is a vulnerability. I think MS said it right when they said:
So, even if this is a vulnerability that merits a software change in browsers... which I don't believe is the case... The only real solution is annoying text/windows/popups telling the user 'This window was popped up by Frame7, beware'. Which, they will ignore anyway. Look at the history. Users just hit OK.
With stories like this, I could call myself a security firm and publish vulnerabilities like this every hour on the hour. Then I too, could write scary papers that put fear into the masses for no reason.
Wow, sounds like the United States.
Keith
And this is a troll because?... Someone got careless with the mod stick, I think.
I want a window manager that draws lines between parent/child windows, parent/child processes. While we're at it, how about one that lets me click one window, then drag all the windows in the group as one, maintaining relative position? Yeah, I want to drag windows around, and save their positions with the window manager, then open that state with a single click on a desktop menu. While we're at it, I want the groups to include arbitrary windows from multiple apps. So I can open a "workplace", and immediately begin working in a familiar environment. If this works, how about letting me drag a line from any window to another, piping STDIN/OUT/ERR between processes? If I can minimize the windows into icons, my window manager is now a visual programming environment. Which, to come full circle, could let me as a user tell by looking which info is tainted by which untrusted windows and datapaths, including innocent-looking JS popup windows.
--
make install -not war
Who still uses javascript popups for responses? That reminds me of the old sites that would pop up and say "please enter your name" and then the webpage would show your name... "Welcome fred durst" Now i just cancel those boxes... infact they should delete that function all together in javascript.
In the latest news, a security flaw has been revealed in all known browsers. The vulnerability is a weakness in the veracity-sensor code. Apparently information provided and displayed to the user does not have to be true. Unfortunately, this means millions of users are being tricked into...
THIS, is precisely why I continue to use Mozilla over an of the other browsers (and contrary to popular "opinion", Mozilla is NOT the same as thing Firefox. Mozilla excels in speed, features, and granular configurability).
I know, I know, I must be new here. But it was a very short article, and right near the bottom it says this (bold text is mine):
"Once these things are discovered, there's a rush as everyone tries to fix the problem," Christen Krogh, Opera's vice president of engineering said.
Krogh also pointed out that Secunia had rated the vulnerability as "less critical."
"This could fool some users into giving out some data to a site that wouldn't otherwise be able to get that information. But it doesn't seem like the most important issue," Krogh said.
So what does this tell us?
- The folks somehow blaming Opera for this announcement obviously didn't read past the first couple of paragraphs of this very short article.
- The folks who are saying "JavaScript is bad" obviously didn't read... okay I'm sure they just saw the word "JavaScript" and went off from there anyway. Hey, guys, enjoy your static black text on white background pages - and we'll see you in the unemployment line. Any ideas on how to manipulate the DOM without JavaScript?
- While I agree MS shouldn't blow this off, they're probably still busy patching some of those more critical problems.
- Once again, end user education is probably the answer.
#DeleteChrome
Is what ever happened to their "one million download challenge", which promised that the CEO would swim from Norway to the USA? There was briefly mention of it on their site, but now... nothing.
Meh... I guess I shouldn't have expected much...
Place sig here.
I thought Safari fixed this many months ago, with a change whereby the JS alerts come down in the form of sheets attached to the window/tab to which they correspond? I could swear there was a /. piece on exactly this.
Or maybe I'm clued out and this is something different?
-b
myselfmusic
My browser crashes nearly once a day due to that extension. It's buggy, but it's still worth having it installed.
The global economy is a great thing until you feel it locally.
What the hell is that? It's Offtopic and Flamebait.
If you can hack the commercial website and replace their page with yours, why would you need this phishing technique? Just have their server-side script send the username/password to you directly.
Karma: -2147483648 (Mostly affected by integer overflow)
If you have a visual rather than a list as a search engine then it can stop all Java Pop-Up activity. It can stop anything because it scans each page. Try it out. It's on download.com free. http://www.download.com/ViewFour-com-ViewSmart/300 0-8022_4-10406154.html?tag=lst-0-18
Here is a description...
ViewSmart by ViewFour.com is Web-based software that visually displays search results found in Google, MSN, eBay, and other search/e-commerce engines in a multi window environment (2-50). By visually displaying results you get to see your searches rather than having to click back and forth through them. This slick new method of searching the Web also removes the potential dangers of surfing the NET. The software scans each Web page prior to displaying it and stops all hidden and or malicious files from being automatically downloaded without your knowledge. If a page fails the scan, a large red border and stop sign will appear around the window. This means you are protected from contracting viruses, adware, spyware, and other forms of malware while surfing the Web.
Version 2.94 improves malware scanning engine.
I think so.
4 0&tid=154
http://slashdot.org/article.pl?sid=05/06/22/17332
FROOZST
That was my 7 letter image authentication thing for slashdot!
Who can do better?
'Nuff said
Due to sheets you can clearly see the window the JavaScript dialog belongs to.
I keep clicking the "OK" in your message, yet no virus scan has started. Do you have an .exe I can run instead?
Sure, just turn on your TV and wait for the stopsign spyware commercial.It must be Windows. It needs half a gig of RAM and a hardware-accelerated graphics card just to run Solitaire.
Thanks once again to /. for this wonderful piece of non-news that was reported 4 days ago...
(3) OffByOne
Doesnt this just move the problem onto the computer user rather than the computer?
If the browser has displayed a dialog box that appears to be from the web site I am browsing, I cannot closely check the name for what might be a single character change every time.
When I run the test, I get this in my JS Log: Unsafe JavaScript attempt to access frame with URL http://www.google.com/ from frame with URL http://www.google.com.secunia.com/tests/origin_spo of.php. Domains must match.
or hire someone else to do it ;-)
"Journalist"
What I highly friggin overused term.
s'wut i sed.
Next week: Firefox 1.0.5 released, to patch security problem. Next year: Microsoft releases new version of IE to fix multiple vulnerabilities discovered throughout 2005.
Nothing to see here. Move along.
The writeup claims that Camino is affected; it is not, since it uses OS X sheets to present javascript dialogs. The dialog is attached to its parent window, which makes it pretty difficult for people to get confused. ;)
Thank you, hkmwbz. You really are a regular clown in any vaguely Opera related article's discussion, aren't you?
For the info about who reported the vulnerability--thanks. That does make the conspiracy theory seem less likely.
For totally missing the bigger point--also thanks, I would have expected no less from you based on your past posts.
The behavior described is not a bug. As countless others also pointed out, it is at best a design flaw. So calling it a bug, or a vulnerability, or anything else along those lines is just really really mind-numbingly dumb.
But I guess to an Opera zealot it's all the same so long as Opera "fixed" the "bug" first.
Akarsz Magyar Gentoo fórumot? Akkor
I'm waiting for the vulnerability alerts based on site content.
ALERT: All major browsers are affected by a critical issue whereby a site's claims of having the lowest price may not be true. Affected users may pay higher than market prices for goods.
Has ANYONE of you, ever fell to phishing exploit?
Or is that reserved to the utterly plain stupid?
ie. short of double clicking an email attachment.
Google is your friend: http://www.opera.com/swim/
so you don't have to login twice, which would make some people suspicious
Nah, just forward the assumed correct information to yourself and forward known incorrect info to the real server. That way the (l)user just assumed they did a typo on their password, and will have no problem reinputting the information.
i'm running firefox 1.0.4 and the secunia test didn't work for me. i noticed that there was a brief flash of the 'firefox has blocked this popup' just after i clicked the link, just before google appeared... so i allowed popups from secunia and then it DID work.
so is this only an issue for sites that you have specifically allowed popups from? ie. sites you probably trust anyway?
"if i'd known it was harmless, i'd have killed it myself"
https://addons.mozilla.org/extensions/
If it were done when 'tis done, then t'were well it were done quickly... MacBeth
So in other words... they filmed a couple of their people splashing around in the water for a bit, punctured the raft, and came up with a "dramatic" story :)
:P
Nice big PR grab....
Place sig here.
I don't know howto write extensions for Firefox, so I can't try this myself, but I am wondering, can't you just disable the javascript popup features? I'm sure you could do this using GreaseMonkey.
Firefox already has a built-in popup blocker anyway, shouldn't it cover all javascript popups?
Even if firefox is vulnerable, get this excellent extension and solve your problem. Happy browsing!
It was all in good fun. Anyone who takes it seriously needs to take a step back and reevaluate their thought process.
OmniWeb 5.1.1b2 loads "www.google.com" and gives me the pop-up, but the very top line of the pop-up reads "www.google.com.secunia.com". That's a pretty strong hint that the pop-up isn't really from Google.
:|
Unfortunately, I didn't see OmniWeb mentioned in the Secunia advisory; I guess we don't have enough market share.
It just opens a small window that's sufficiently small to be obscured by the dialog box. But this is old news, it's been an issue since Netscape first added target="_blank" and javascript. Though as I recall, they were smart enough in the old days to prevent the newly opened window from being really small. They also prevented it from being moved off-screen. Don't know if that's possible these days or not.
Thanks to QuickTabPrefToggle, I see the actual URL of http://www.google.com.secunia.com/tests/origin_spo of.php
Also, middle-clicking for a new tab (which is how I almost always surf) bypasses the attack altogether.
Nothing to see here. Move along.
I guess Secunia couldn't be bothered to check the current public version of iCab. When I ran their test, the "spoofing" URL was clearly displayed at the bottom of the "login" dialog their javascript popped.
Was there ever any doubt that it is simply impossible to swim from Norway to USA?
and of course very, very alpha...
but at least it won't crash safari - and the column view is the best display for directory-structures anyway.
http://lixlpixel.org/webfinder/
(actually i think it works only in Safari so far)
I have always worked around this in IE by pressing control-N to re-open the window in a normal browser window that shows me the address.
I'm not sure if there is another workaround for the Firefox related browsers, but a control-N only opens a blank window -- I can do that by reclicking on the IE-icon, or typing a web-addr into the "Address-bar" on Windows. It'd be much more useful if it opened a new window with duplicate context. I'm
always using that feature when using Google. I have Google set to open results in a 2nd window. Often, I want to keep one or more result windows open -- and Google re-uses the original 2nd window it popped open. Pressing control-N, gives a dup of the result, freeing the "2nd window for re-use by Google. Another use -- sometimes a site opens a 2nd window of a fixed size. Unfortunately site designers haven't gotten the concept of "DPI". Even though the text is enlarged because the OS recognizes the DPI setting, the sites don't resize windows, widgets, frames, etc. Thus text gets cut off or is unreadable. Easy workaround -- just re-open the window and resize it.
Firefox and related don't seem to have this ability. I consider it a security risk as well as it being usability unfriendly to those using higher DPI screens. Is there a workaround for Firefox and related browsers?
If there isn't a workaround for Firefox/Moz/Safari/Netscape, I'd say that
was a valid security complaint. It's even worse that this security risk
is "old news". So much for fast security fixes w/open source.
-l
No, but I was looking forward to watching him try :)
Place sig here.
Is it just me, or are other Firefox users experiencing frequent crashes when applying NoScript to Web sites? Is this a bug or a safety feature?
Goddamned kids! Get off my lawn!