Closed Bug 562255 Opened 14 years ago Closed 14 years ago

Javascript-based Web sites (e.g. Facebook "connections editor") are able to trap browser close

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 61098

People

(Reporter: mskala, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Necessary background, though this part is not Firefox's fault: Facebook has a new feature some users object to, under which users' formerly-private personal information is being "migrated" to no longer be private.  They think they need users' consent to do this; some users don't want to give consent.  It is very easy to enter the "migration" process, and if you find yourself there, they don't want you to leave without consenting.  If you try to close the window, it doesn't close, but you instead get a modal dialog box prompting you to finish the migration process.  This also happens if you try to close the tab, or to quit Firefox via the menu option.  Once in this state, the only way I've found to exit Firefox other than agreeing to "migration", is to kill the Firefox processes.

The part that IS Firefox's fault: Firefox allows Facebook to do this.  I consider Facebook's behaviour malicious, but even if someone doesn't, other Web sites that are malicious can evidently do the same thing.  That makes it a security issue for Firefox: no Web site should be able to prevent the browser from closing.

If it is desired to ever allow Javascript to block the "close browser" event (and it seems questionable whether there could ever be a legitimate reason for a Web site to do that), then this should at least be something users can disable via the "Advanced Javascript" settings.  As described below, the only user-visible way to disable it at present seems to consist of disabling Javascript entirely.

The ability to close a browser *fast* is important to anyone using a browser at work, in a public place, when children are present, or anywhere else it's possible they might want to get something off their screen in a hurry.  If Web sites can interfere with window close, that's a security problem - even if minimizing the window, moving it mostly off-screen, switching desktops, adding a tab, or other temporary solutions remain available.  However, although I think this is legitimately a security bug, I don't think it's sensitive enough to need confidential treatment.  Many people will have already seen it, given the popularity of Facebook.

Reproducible: Always

Steps to Reproduce:
1.  You'll need a Facebook account that has not yet completed the "connections" migration process.
2.  Log in and enter that process, for instance by going to your own "Info" profile section and choosing the "page suggestions" option.  (Depending on your status, it may push you into the migration tool even before you get that far.)
3.  Now, just try to get out of Firefox without giving them permission!
3a.  If you try to close the browser window, you get the "Are you sure you want to navigate away..." dialog box.  Closing that with the close or cancel buttons works, but then you're back where you started.
3b.  If you try to close the tab, you get the dialog again.
3c.  If you try to use the "Quit" option on the "File" menu, you get the dialog again.
3d.  Special bonus:  after killing Firefox with kill -9, next time you run Firefox you're put immediately back into the same page on Facebook's site, and you get the dialog again.  After killing it a second time, running Firefox a third time results in the usual "Sorry, your session crashed, do you want to restore it?" prompt, and it's possible to escape Facebook's evil clutches by saying "no" to restoring the session.
Actual Results:  
As above:  all attempts to close the window, tab, or browser result in a dialog box controlled by Facebook's script, strongly encouraging the user to consent to disclosure of personal information.

Expected Results:  
Window, tab, or browser should close immediately, on the first try.

When I first noticed this, my "Advanced JavaScript" settings were "move or resize existing windows" allowed, "disable or replace context menus" allowed, all others disallowed; but turning off these two settings doesn't seem to make a difference.  Turning off JavaScript entirely does fix it, but involves an obvious major cost in usability.
Recent changes to Facebook's site mean that the specific steps given in the report are no longer possible; however, the problem remains.  You can now reproduce it with any profile edit:  just make some changes, don't save them, and then attempt to close the browser without going through Facebook's UI interaction.
See also bug 432687
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.