This is the simplest and least interesting attack vector: if your Firefox defaults to opening popups in new tabs, this will spawn a window with blank URL bar, and "reload" button disabled. This can be used to evoke a false sense of security or authority in casual users:

Next is a demonstration of an ages-old UI spoofing bug: pages can hide menubar and URL bar on a newly created window, and replace it with an image coupled with dynamic HTML, or with a XUL control. To render such attacks less effective, Firefox now forces all windows without a URL bar to display site location in window title bar. This demo opens such a window (this is just a naive example; UI layout and resolution might not match yours) to demonstrate this behavior:

By combining this UI spoofing attack with "location-less" windows demonstrated above, it is possible to spawn a window with fake UI and no window title restrictions, however:

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.