From MozillaZine Knowledge Base

Background

One of the hazards of allowing Mozilla browsers to render remote XUL is that it becomes exceedingly easy for third parties to spoof parts of the browser UI. Steps have been made to make it easier for users to tell the difference between local and remote XUL, and this preference is an artifact of one attempt.

Bug 22183, which deals with the XUL spoofing issue, was a security-sensitive bug until mid-2004. Once the bug was public (and perhaps spurred by a Secunia advisory and Slashdot article), a good deal of discussion ocurred on how best to approach the problem.

One suggested solution was to require the Location Bar always be present on popup windows. A step beyond that was to prevent the HTTP Basic Auth username and password from being displayed there, to prevent obfuscating the originating server. Ben Goodger implemented this latter step in a patch and included this preference to disable the behavior.

A different patch was eventually applied that did not use this preference. However, the default value for the preference was checked in, resulting in a defunct about:config entry.

Caveats

• As mentioned above, this preference has no effect in any officially released Mozilla product.

Previous effects

True

Don’t display the HTTP username and password in the read-only Location Bar for popup windows. (Default)

False

Display the original URI in the Location Bar as normal.

First checked in

2004-09-06 by Ben Goodger

Has an effect in

• No products are affected by this preference

Related bugs

• Bug 22183 - UI spoofing can cause user to mistake content for chrome

Related preferences

• browser.fixup.hide_user_pass
• dom.disable_window_open_feature.location
• network.http.phishy-userpass-length

External links

• Secunia - Advisories - Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability