Closed Bug 1125285 Opened 10 years ago Closed 2 years ago

Ignore beforeunload on frames when triggered by blur handlers on parent document

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: Gijs, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: csectype-dos, csectype-spoof, ux-control)

Attachments

(1 file, 1 obsolete file)

Testcase
384 bytes, text/html
Details
Attached file beforeunload.html (obsolete) —
+++ This bug was initially created as a clone of Bug #1116977 +++ I don't know how to fix this, and if it's even reasonably possible because of the amount of indirection (and then what happens if you use another setTimeout in the middle, etc. etc.)
Attached file Testcase
Attachment #8553890 - Attachment is obsolete: true
What do you mean by "when triggered by blur handlers on parent document"? Should we just disable beforeunload for frames entirely, as a followup to bug 636374?
(In reply to Jesse Ruderman from comment #2) > What do you mean by "when triggered by blur handlers on parent document"? See the testcase? Basically, in a blur handler on the top document, trigger a load on the kid (change the src of the iframe, trigger location.reload, whatever), which triggers onbeforeunload on the frame. > Should we just disable beforeunload for frames entirely, as a followup to > bug 636374? Interesting idea. I'm not the right person to comment on the web-compat side of that. Olli, thoughts?
Flags: needinfo?(bugs)
(In reply to :Gijs Kruitbosch from comment #3) > (In reply to Jesse Ruderman from comment #2) > > What do you mean by "when triggered by blur handlers on parent document"? > > See the testcase? Basically, in a blur handler on the top document, trigger > a load on the kid (change the src of the iframe, trigger location.reload, > whatever), which triggers onbeforeunload on the frame. To be clear, at least on OS X, the consequence is basically that it becomes hard(er) to switch tabs, or focus any of the browser UI - you can do it the second time you try, after the beforeunload dialog has come up, but it's still annoying, causes flickering and generally can leave the browser in a pretty confused state... If you click 'stay on page', then that just means focus gets put back in the document, and the next time you click on a tab/urlbar/whatever, the same dialog pops up again and steals focus again... it's annoying.
(In reply to :Gijs Kruitbosch from comment #3) > > Should we just disable beforeunload for frames entirely, as a followup to > > bug 636374? > > Interesting idea. I'm not the right person to comment on the web-compat side > of that. Olli, thoughts? We certainly can't remove the event, but maybe the confirmation dialog? Again, what do other browsers do here?
Flags: needinfo?(bugs)
(In reply to Olli Pettay [:smaug] from comment #5) > (In reply to :Gijs Kruitbosch from comment #3) > > > Should we just disable beforeunload for frames entirely, as a followup to > > > bug 636374? > > > > Interesting idea. I'm not the right person to comment on the web-compat side > > of that. Olli, thoughts? > We certainly can't remove the event, but maybe the confirmation dialog? Yeah, sorry for not being clear - that's what the hidden pref does (now), too. > Again, what do other browsers do here? I'll try to have a look early next week.
Flags: needinfo?(gijskruitbosch+bugs)
(In reply to :Gijs Kruitbosch from comment #6) > (In reply to Olli Pettay [:smaug] from comment #5) > > (In reply to :Gijs Kruitbosch from comment #3) > > > > Should we just disable beforeunload for frames entirely, as a followup to > > > > bug 636374? > > > > > > Interesting idea. I'm not the right person to comment on the web-compat side > > > of that. Olli, thoughts? > > We certainly can't remove the event, but maybe the confirmation dialog? > > Yeah, sorry for not being clear - that's what the hidden pref does (now), > too. > > > Again, what do other browsers do here? > > I'll try to have a look early next week. The DoS in the testcase works even 'better' in Chrome in that the "do you want to reload this page" popup seems to be app-modal there; I can't switch to another tab while it's up. IE11 does the same, but at least after interacting with the popup, the focus is on the tabbar and so I can switch the second time I try. Both of them thus seem to run beforeunload handlers for frames in the page (and prompt for them). Sounds like we can't outright remove that per the current version of the spec. Equally, I bet other vendors would be interested in fixing the DoS-style annoyances here...
Flags: needinfo?(gijskruitbosch+bugs)
Rather than trying to prevent specific combinations of events and frames, I think we should disable onbeforeunload dialogs: * When you haven't interacted with a page (bug 636905) * In frames (bug 1131187) See also bug 1003967, which proposes disabling all dialogs (not just onbeforeunload) in the intersection of those two cases: (cross-origin) frames the user has not interacted with. WONTFIX?
(In reply to Jesse Ruderman from comment #8) > Rather than trying to prevent specific combinations of events and frames, I > think we should disable onbeforeunload dialogs: > > * When you haven't interacted with a page (bug 636905) Can we actually reasonably detect whether you've "interacted" with a page? (what counts? scrolling? For e.g. reading a news article, I might not "interact" with the page at all...)
Flags: needinfo?(jruderman)
As I suggested in bug 636905 comment 0: anything that would allow a popup would also allow onbeforeunload. So clicking and typing would allow, but scrolling and pressing modifier keys would not. There are some edge cases, such as scrolling with arrow keys or spacebar, but I'm not really worried about evil popups doing those things just to make it hard to close the popup.
Flags: needinfo?(jruderman)
(In reply to Jesse Ruderman from comment #10) > As I suggested in bug 636905 comment 0: anything that would allow a popup > would also allow onbeforeunload. So clicking and typing would allow, but > scrolling and pressing modifier keys would not. Is this already implemented/exposed on the docshell in some way?
Maybe smaug knows
Flags: needinfo?(bugs)
Well, exposed in docshell...no. gPopupControlState is in nsGlobalWindow.cpp
Flags: needinfo?(bugs)
Gijs, we are triaging evil trap bugs at the moment. This one is still reproducible, but also a valid use case, right? Any opinion on the priority of this bug? Asked differently, do you still think that comment 11 is the way to move forward? Thanks for any response.
Flags: needinfo?(gijskruitbosch+bugs)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #14) > Gijs, we are triaging evil trap bugs at the moment. This one is still > reproducible, but also a valid use case, right? Any opinion on the priority > of this bug? Asked differently, do you still think that comment 11 is the > way to move forward? Thanks for any response. We have already implemented comment #11, in bug 636905. We no longer show beforeunload if you don't interact (mousedown, keypress, etc.) with the frame which requests it before closing the tab / navigating it. As a result the iframe attack stuff doesn't really work anymore, from what I can tell. I think we should fix bug 1345830 and then close this as WFM. Does that sound like a reasonable suggestion?
Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(ckerschb)
(In reply to :Gijs from comment #15) > I think we should fix bug 1345830 and then close this as WFM. Does that > sound like a reasonable suggestion? I think this sounds like a perfectly reasonable idea. I marked this bug to be dependent on Bug 1345830. Thanks!
Depends on: 1345830
Flags: needinfo?(ckerschb)

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: critical → --

Close per the suggestion from comment 16.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: