I'm opening a popup window via javascript. I'm trying to set some of the display parameters - specifically we want to hide the location and statusbar, but every browser I've tested this in, the location and status bars still display.
My code looks like this:
newwindow=window.open(url,'name','height=250,width=290,left=200,top=200,location=no,resizable=yes,scrollbars=yes,toolbar=no,status=no');
Any ideas? The client is insisting on a popup window, rather than a hover tooltip.
The browsers have stopped listening to some of the parameters for security reasons. For example, FF3+ and IE6 / 7+ force a location bar to prevent scammers pretending to be a site they're not.
Related: The Internet Explorer 7 Security Status Bar
Whenever you are visiting any website, you should look at the full address (URL) for the site to understand what website you are looking at. IE7 helps you by enforcing the presence of an address bar in every window, but you still may need to scroll through it or maximize the window in order to view the full address.
If you need more freedom, and happen to have some control over the user's computer (e.g. in a closed intranet), there are solutions like Mozilla Prism that allow a web site to appear rather like a desktop application. But those are highly specialized solutions unsuitable for normal web sites.
Yes, some parameters are disabled. The reason is that it should not be possible to open a window that pretends to be something else.
The exact rules depends on the browser, the scope of the page (intranet/public), and the user settings. Most browsers won't remove the address bar, so that you can always see where the page is coming from.
You can for example read here about the restrictions in Internet Explorer.
Some quotes:
"Internet Explorer 6 for Windows XP
SP2 requires that the window title
bar and status bar are always in the
visible area of the display; if the
address bar is displayed, it must also
remain visible. By placing these
restrictions on script-opened windows,
the Window Restrictions security
feature prevents malicious code from
hiding information and from spoofing
user interfaces. The Window
restrictions feature is on by default
for the Internet zone, and the feature
is off by default for the Local
Intranet and Trusted Sites zones."
and:
"The status bar is an Internet
Explorer security feature that
provides the user with Internet
Explorer security zone information.
Prior to Internet Explorer 6 for
Windows XP SP2, the status bar could
be hidden from the user by scripts
that call the window.open method. With
the status bar hidden from view, users
could be deceived into thinking that
they were on a trusted site when they
were actually interacting with a
malicious host.
With window restrictions in place, the
status bar cannot be turned off for
any window created by the window.open
method; it is always visible for all
Internet Explorer windows. The zone
information that the status bar
contains cannot be spoofed or hidden
from view, so that the user always
knows in what security zone the
content is being displayed."
This is about IE 6, as that's when this was introduced. There were some furhter changes in IE 7, but that mostly has to do with how the navigation changed, making some parameters of the open command work differently or being obsolete.
Due to changes in security models, it's not possible to have a totally chromeless popup window any more and attempts to strip all the chrome off will simply be ignored. Have you considered using JQuery to create a pseudo-popup that is skinned to look like a window, give it drag handlers and a dismiss button? you could gracefully degrade to a standard pop-up.
http://jqueryui.com/demos/draggable/
Most browsers displays the location bar and status bar by default, and make it also impossible to override window.status. This is done for safety (to guard against phishing).
Some more specific information on how a user can change the setting that allows the status and/or address to be set by Javascript to hidden or visible:
From the 'custom level' dialog from the IE security tab - scroll down to:
"Allow websites to open windows without address or status bars"
Depending on if these is set to Disable or Enable - you will see different behavior from your application.
To my knowledge this applies to IE7, IE8, and IE9
Related
I use the last firefox release (45.02) on windows 7.
I want to prevent user to resize manually the windows. I have a non responsive GUI, and I want to fix the browser interface.
I can't use the javascript resizeTo(...) function because of MDN docs
You can't reasonably do this. Which is a Good Thing. The user is in control of their browser, not you.
You can control the size of a popup (including whether it can be resized), within reason, so temporarily while you sort out the responsive thing, you could provide users a link to open a window in the size you want:
Open window in XxY for best experience of this site.
then
document.getElementById("open-window").addEventListener("click", function() {
window.open("http://example.com", "", "width=640,height=480,resizable=no");
}, false);
Note that some browsers may still allow resizing, either in the normal way or via a small "grippy" (as the Firefox folks call it).
This question is just something that I want to know (nothing is broken in code yay)
In the most browsers going to fullscreen causes the security adnotation coming (in most cases) from the top of the display.
I can not understand why it is suspicous, could you share your knowledge about why it is less secure to view (fe) the video in fullscreen mode?
The browser chrome is a trusted security indicator, and full-screen mode hides that indicator.
If a page could enter full-screen mode without the browser notifying the user, a malicious page could enter full-screen mode, draw Chrome's address bar, and look exactly like a Google login page to trick the user into giving their password.
When running the below code, it fails to display the text I wrote. Instead, it displays in the status bar the URI of the link. Why is this happening?
link here
window.status isn't a standard property. It has been eliminated for security reason. You can't do that on modern browsers (including IE9).
You'll have to find another solution, like for example making a small div at the bottom left corner :
<a href="link"
onmouseover="document.getElementById('status').innerHTML='your text';"
onmouseout="document.getElementById('status').innerHTML='';">link here</a>
<div id=status style="position:fixed;bottom:0;left:0"></div>
Being able to modify the status bar information is an excellent way to mislead users into thinking that a link will take them to Place They Want To Be instead of Place That Will Steal Their Password… so browsers don't let page authors mess with it any more.
Internet Explorer 7 limits the ability of Web pages to use scripts to write information to the status bar. This ability is restricted by default for the Internet Zone, and is subject to user-configurable settings for Trusted and Restricted Sites Zones. This is part of the work to ensure that users are not misled by Web pages. Calls to window status will fail silently in cases where updates are not allowed.
— Security and Compatibility in Windows Internet Explorer 7
HTML has a title attribute designed specifically to provide advisory information about an element. Use that to display status information.
link here
I am developing a web-based database that needs to be opened through firefox web browser(because of some css3 elements). I want the page to open automatically in full screen mode. I dont want the user of the database to have access to the firefox menu items
Can't be done if you just have control of the webpage. Controls in the webpage cannot cause changes in the browser instance itself.
It would be a security issue if that were allowed. You could look into writing a Firefox extension to do that, as they have more access to the browser instance itself.
You shouldn't look at trying to hide the firefox menu controls. That seems like a flaw in your problem-solving approach.
You will want to look at Fullscreen APIs of the browser. If you accept a small request/info to the user in the application it can be done quite easily. You just can't force the user into Fullscreen mode against his will. This is good (for security reasons).
http://hacks.mozilla.org/2012/01/using-the-fullscreen-api-in-web-browsers/
Is it applicable to remove the address bar from a popup window using javascript
ex:
window.open(url, 'liveMatches', 'width=720,height=800,toolbar=0,location=0, directories=0, status=0, menubar=0');
please advice,
use jquery ui (http://jqueryui.com/demos/dialog/)
or perhaps
window.open(url,'liveMatches','directories=no,titlebar=no,toolbar=no,location=no,status=no,menubar=no,scrollbars=no,resizable=no,width=720,height=800');
actually
You cannot remove the address bar in modern browsers. That is a security measure. The user must always know what page they are on. Address bar also let user know, what type of security is on that page (HTTP or HTTPS).
Theoretically, yes. However, as with everything in Javascript, there's no guarantee that any given browser will support it or that the implementation will be consistent across browsers.
This link as well as this link indicate that the location option should control whether or not the Location/Address bar is shown. It should also have relatively good cross-browser support.