Review Request: Prevent Konqueror's address bar from being hidden by default

Tue Jul 31 16:32:09 BST 2012

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://git.reviewboard.kde.org/r/105749/
-----------------------------------------------------------

(Updated July 31, 2012, 3:32 p.m.)

Review request for Dolphin, KDE Base Apps and David Faure.

Changes
-------

After lots of iteration and fixes, here is the final version of the patch. Apparently, there are many ways to create a new window from a part besides simply calling KPart's createNewWindow signal. As such the new patch reflects the need to account for those as well as ensuring Konqueror's behavior completely matches those observed in Firefox and Chromium. The expected behavior of popup windows as observed in the other browsers is reflected in the scenarios listed under the "Testing Done" section.

Description
-------

The attached patch attempts to resolve a security concern in Konqueror when browsing the web. The concern results from a website, through the use of the javascript window.open API, requests the creation of a new window (pop up window) with all its toolbars disabled. When Konqueror gets such requests it simply disables all toolbars in the main window including the one that contains the address line edit widget. This is a problem because it makes it possible for sites to spoof the user into providing personal information by mimicking native input dialog such as the password dialog.

As such this patch attempts to solve the problem in the same manner it seems to be addressed in other major browsers such as Firefox and Chromium. Namely, Konqueror will no longer hide the toolbar containing the address line edit widget by default. The user must explicitly override the default settings by adding the following configuration option to konquerorrc:

[DisableWindowOpenFeatures]
LocationBar=false

Diffs (updated)
-----

  konqueror/src/konqmainwindow.h fd007e8 
  konqueror/src/konqmainwindow.cpp 081509e 

Diff: http://git.reviewboard.kde.org/r/105749/diff/

Testing (updated)
-------

TEST SCENARIOS:

1. Click on a link with its target property set to "_blank" in the popup window.
2. Middle click on a link.
3. Select text in the popup window and select "Search Google for...".
4. Right click on a link and select "Open in New Tab".
5. Press CTRL+T in the popup window.
6. Press CTRL+N  in the popup window.
7. Press (ALT/CTRL)+Enter while the address widget has the focus.

EXPECTED RESULTS:

1. Depending on user's configuration, a brand new (non-popup) window or a new tab in the window from which 
    the popup originated showing the contents of the link that was clicked.
2. Same as #1.
3. Same as #1.
4. A new tab showing the contents of the link in the window from which the popup originated.
5. Nothing (ignored).
6. A blank non-popup window.
7. Treat it as if only Enter was pressed.

EXPECTED RESULTS (after closing the window from which the popup originated):

1. A new non-popup window showing the contents of the link that was clicked.
2. Same as #1.
3. Same as #1.
4. Same as #1.
5. Nothing (ignored).
6. A blank non-popup window.
7. Treat it as if only Enter was pressed.

Screenshots
-----------

before the change
  http://git.reviewboard.kde.org/r/105749/s/645/
after the change
  http://git.reviewboard.kde.org/r/105749/s/646/

Thanks,

Dawit Alemayehu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20120731/eb2e6ffd/attachment.htm>