Open Bug 1241048 Opened 5 years ago Updated 3 years ago

js can prevent navigation via location bar

Categories

(Core :: DOM: Navigation, defect)

46 Branch
defect
Not set
normal

Tracking

()

UNCONFIRMED

People

(Reporter: q, Unassigned)

Details

Attachments

(1 file)

3.87 MB, application/x-zip-compressed
Details
Attached file moz.zip
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160105164030

Steps to reproduce:

I've got node.js app. After the user want to leave the page, and socket connection is breaking, I quickly send the reconnect socket message.
Some times, the next web site is loading, and then reconnected socket send the user back to the previos page. So, It is not unpopssible to leave the page, the only way to leave is closing the tab.
Unpack files on your webserver with node js. Launch app. Goto webserver web adress. Try to enter another site adress in adress string and press enter.


Actual results:

Site refresh.


Expected results:

I should go to the site, which name I have entered in adress string.
What is the security issue that makes this a security issue, exactly?
Flags: sec-bounty?
Group: firefox-core-security → core-security
Component: Untriaged → Networking
Product: Firefox → Core
Flags: needinfo?(q)
Group: core-security → network-core-security
I've made a demo from moz.zip attachment, to show you the problem.
Please, go to http://193.124.178.97:3000/ and after that, enter some site (like google or mozilla) in adress string and press enter. The browser wouldn't allow you to go to this sites.

I've tested this solution on windows and linux, and it's working well on both systems, and on every Ffox browser.
Flags: needinfo?(q)
I can't reproduce using comment 2. (the navigation works fine for me). I'm going to refile this under navigation.. still not sure why this is a security bug.
Component: Networking → Document Navigation
This is not a security bug, sorry.
t first a thought, that this socket opens after the page loads and have access to the new page.
*At first I thought
Group: network-core-security
You can't reproduce this bug maybe because of timings.
I've got setTimeout(go, 200);
Now, I've changed it to setTimeout(go, 0);

Another problem might be the server location (Russia, high ping relatively to you).
For me, this example works quite nice.

Please, try different sites. The bug is real.
If it is neccesary, I could shot a video with with this issue
I can repro the issue in comment 2.. I'm not the right person to figure out if this is even a bug.. seems to just be calling location.reload constantly.
Summary: Uncorrect socket handling, impossible to leave the page. → js can prevent navigation via location bar
Yes, but this happens right after user enter site in adress bar and press enter.
Only firefox behaves this way. 
And I guess this is not just about location.reload. This is about not connect socket handling. This situation happens only on socket disconnect event.

Sometimes in Network tab you can see this:
GET http://***:3000/socket.io/?EIO=3&transport=polling
GET http://YOUR_SITE
GET http://***:3000/socket.io/?EIO=3&transport=polling

So there is something definitely wrong and incorrect.
Flags: sec-bounty? → sec-bounty-
Group: core-security
Blocks: eviltraps
Group: core-security
I succeed to repeat the bug, but not every time. If a incoming packet is received, or is being receive, in time you go to an another website, the mechanism prevent the browser from quitting the page.
I can't reproduce this anymore. It just makes my content process a little slow. I tried reducing the timeout but that doesn't work either.
No longer blocks: eviltraps
You need to log in before you can comment on or make changes to this bug.