Open Bug 1077089 Opened 8 years ago Updated 2 months ago

EventSource in JS can be flooded and Firefox totally freezes


(Core :: DOM: Core & HTML, defect, P5)

32 Branch





(Reporter: bug, Unassigned)


(Keywords: csectype-dos)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140925003805

Steps to reproduce:

I wrote a PHP Script which infinitly sends Server Sent Events to the Client.
The client should append my message to the body.
Client freezes almost immediately.

Actual results:

Firefox totally freezes. Can only be reset by process killing.

Expected results:

The JavaScript-Engine should stop receiving messages.
Component: JavaScript Engine → DOM
Does the browser crash or just become unresponsive?
Can you attach the PHP script so we can use it as a test case?
Flags: needinfo?(bug)
> The JavaScript-Engine should stop receiving messages.


How is this different from just having a script that appends stuff to the body in a loop?

to provoke the failure I used the following script:
header('Content-Type: text/event-stream');
header('Cache-Control: no-cache');

while(true) {
echo "id: 1" . PHP_EOL;
echo "data: ". time() . PHP_EOL;
echo PHP_EOL;

The JavaScript is the normal

var source = new EventSource('./yourScript.php');
source.onmessage = function(e) {
    document.body.innerHTML += + '<br>';

It is different to appending stuff to the body from a JavaScript-Loop in the way that your browser automatically slows the JavaScript down when it can not handle all the appending (I've tried that without any influence to the overall performance).
But when it is flooded from the web via Server Sent Events, it seems to handle that differently.

I tried it with Firefox under Arch Linux and Windows Vista. Both seem to be vulnerable. When I use Chrome for it (even on my smartphone) it stops executing the Script.
Flags: needinfo?(bug)
Group: core-security
Keywords: csectype-dos

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.