Hello, I've checked the comments from above a few times and I believe this will help to have something that puts everyone on the same page: I tried to reproduce this issue on the latest Focus for iOS **v122 (17561)** with **iPhone 15 Pro (17.1.2).** ### Steps to reproduce 1. Open https://google.com on Focus. 2. As Focus has only one tab, tap on the URL and write **https://pwning.click/Focus302UXSS.php** 3. Press enter in order to access **https://pwning.click/Focus302UXSS.php** ### Expected Behavior JavaScript doesn't run, we're staying on https://google.com ### Actual behavior There is a blank page with www.google.com text, the URL is displayed as **pwning.click** and the loading page bar is stuck at 10%. ### Notes Please note that with a refresh of the page (swipe down) the google.com is correctly displayed again. Please note that there is no "indicating that 302 redirected JavaScript on https://pwning.click/Focus302UXSS.php javascript:document.write(document.domain) was executed on https://google.com ." as James Lee mentioned here. (In reply to James Lee from comment #22) > Actual behavior: blank page with www.google.com indicating that 302 redirected JavaScript on https://pwning.click/Focus302UXSS.php javascript:document.write(document.domain) was executed on https://google.com . I prepared more videos: - [Google Chrome](https://drive.google.com/file/d/18v5vw1ARCL3KXqad1wAgUYGNdq1oX4Vx/view?usp=sharing) - This site can't be reached error was displayed and on the URL was the following `javascript:document.write(document.domain)` - [Firefox Focus v122 (17561)](https://drive.google.com/file/d/1euLncn86rDDdY8UBOCh0Mn2_VFDI3s_t/view?usp=sharing) - There is a blank page with www.google.com text, the URL is displayed as **pwning.click** and the loading page bar is stuck at 10%. - [Firefox for iOS v122 (37686)](https://drive.google.com/file/d/1YeG7pjpBfRlNYdaeXseNCs6g7HW2Jsl4/view?usp=sharing) - The ` https://pwning.click/Focus302UXSS.php` is instantly transformed into www.google.com and the loading bar is stuck at 10%, when clicking on the URL bar nothing happens as the google.com is correctly displayed. - [Brave latest version](https://drive.google.com/file/d/1MfxIWWrkZKXLEjTWlDIln8z8hgvC5jIW/view?usp=sharing) - nothing happens the google.com is still displayed correctly. - [Safari latest version](https://drive.google.com/file/d/1EQZiSEzyYIokjbY4GRRRbQcXrdsOrIeN/view?usp=sharing) - This site can't be reached error was displayed and on the URL was the following `javascript:document.write(document.domain)` So based on the above information and what James commented above comments: Right now we are not returning javascript:document.write(document.domain) running on https://google.com meaning that this issue is fixed. But it's still weird (if you check the Focus video) how it's displayed. Looking forward for some more information in order to verify this issue right.
Bug 1860075 Comment 28 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Hello, I've checked the comments from above a few times and I believe this will help to have something that puts everyone on the same page: I tried to reproduce this issue on the latest Focus for iOS **v122 (17561)** with **iPhone 15 Pro (17.1.2).** ### Steps to reproduce 1. Open https://google.com on Focus. 2. As Focus has only one tab, tap on the URL and write **https://pwning.click/Focus302UXSS.php** 3. Press enter in order to access **https://pwning.click/Focus302UXSS.php** ### Expected Behavior JavaScript doesn't run, we're staying on https://google.com ### Actual behavior There is a blank page with www.google.com text, the URL is displayed as **pwning.click** and the loading page bar is stuck at 10%. ### Notes Please note that with a refresh of the page (swipe down) the google.com is correctly displayed again. Please note that there is no "indicating that 302 redirected JavaScript on https://pwning.click/Focus302UXSS.php javascript:document.write(document.domain) was executed on https://google.com ." as James Lee mentioned here. (In reply to James Lee from comment #22) > Actual behavior: blank page with www.google.com indicating that 302 redirected JavaScript on https://pwning.click/Focus302UXSS.php javascript:document.write(document.domain) was executed on https://google.com . I prepared more videos: - [Google Chrome](https://drive.google.com/file/d/18v5vw1ARCL3KXqad1wAgUYGNdq1oX4Vx/view?usp=sharing) - This site can't be reached error was displayed and on the URL was the following `javascript:document.write(document.domain)` - [Firefox Focus v122 (17561)](https://drive.google.com/file/d/1euLncn86rDDdY8UBOCh0Mn2_VFDI3s_t/view?usp=sharing) - There is a blank page with www.google.com text, the URL is displayed as **pwning.click** and the loading page bar is stuck at 10%. - [Firefox for iOS v122 (37686)](https://drive.google.com/file/d/1YeG7pjpBfRlNYdaeXseNCs6g7HW2Jsl4/view?usp=sharing) - The ` https://pwning.click/Focus302UXSS.php` is instantly transformed into www.google.com and the loading bar is stuck at 10%, when clicking on the URL bar nothing happens as the google.com is correctly displayed. - [Brave latest version](https://drive.google.com/file/d/1MfxIWWrkZKXLEjTWlDIln8z8hgvC5jIW/view?usp=sharing) - nothing happens the google.com is still displayed correctly. - [Safari latest version](https://drive.google.com/file/d/1EQZiSEzyYIokjbY4GRRRbQcXrdsOrIeN/view?usp=sharing) - This site can't be reached error was displayed and on the URL was the following `javascript:document.write(document.domain)` So based on the above information and what James commented above comments: Right now we are not returning javascript:document.write(document.domain) running on https://google.com but the URL `pwning.click` is displayed meaning that this issue is fixed. But it's still weird (if you check the Focus video) how it's displayed. Looking forward for some more information in order to verify this issue right.