EventSource in JS can be flooded and Firefox totally freezes

UNCONFIRMED
Unassigned

Status

()

Core
DOM
UNCONFIRMED
4 years ago
4 years ago

People

(Reporter: Raphael, Unassigned)

Tracking

({csectype-dos})

32 Branch
x86_64
Linux
csectype-dos
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140925003805

Steps to reproduce:

I wrote a PHP Script which infinitly sends Server Sent Events to the Client.
The client should append my message to the body.
Client freezes almost immediately.


Actual results:

Firefox totally freezes. Can only be reset by process killing.


Expected results:

The JavaScript-Engine should stop receiving messages.

Updated

4 years ago
Component: JavaScript Engine → DOM
Does the browser crash or just become unresponsive?
Can you attach the PHP script so we can use it as a test case?
Flags: needinfo?(bug)
> The JavaScript-Engine should stop receiving messages.

Why?

How is this different from just having a script that appends stuff to the body in a loop?
(Reporter)

Comment 3

4 years ago
Hey,

to provoke the failure I used the following script:
<?php
header('Content-Type: text/event-stream');
header('Cache-Control: no-cache');

while(true) {
echo "id: 1" . PHP_EOL;
echo "data: ". time() . PHP_EOL;
echo PHP_EOL;
ob_flush();
flush();
}
?>

The JavaScript is the normal

var source = new EventSource('./yourScript.php');
source.onmessage = function(e) {
    document.body.innerHTML += e.data + '<br>';
    }
};

It is different to appending stuff to the body from a JavaScript-Loop in the way that your browser automatically slows the JavaScript down when it can not handle all the appending (I've tried that without any influence to the overall performance).
But when it is flooded from the web via Server Sent Events, it seems to handle that differently.

I tried it with Firefox under Arch Linux and Windows Vista. Both seem to be vulnerable. When I use Chrome for it (even on my smartphone) it stops executing the Script.
Flags: needinfo?(bug)
Group: core-security
Keywords: csectype-dos
You need to log in before you can comment on or make changes to this bug.