Open Bug 1256047 Opened 5 years ago Updated 2 years ago

Firefox allow site to change parent window

Categories

(Core :: DOM: Core & HTML, defect)

44 Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

UNCONFIRMED

People

(Reporter: strelkov355, Unassigned)

Details

(Whiteboard: btpp-followup-2016-04-11)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.7.0
Build ID: 20160308234001

Steps to reproduce:

1) Setup Debian Sid.
2) Open Iceweasel.
3) Search "site:justporno.tv Dont be shy its just porn" in Google. Searching text don't matter. You  just need get link to justporno.tv domain (not to xxx.justporno.tv subdomain).
4) Open first result in justporno.tv domain.


Actual results:

justporno.tv opened in new tab. Good.
Tab with Google redirected to justporno.tv. If I'm just create new tab and input justporno.tv address to it, this problem don't appear.
For get this result second time, you need clear cookies.


Expected results:

justporno.tv must don't have access to Google tab.
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Component: Untriaged → DOM
Product: Firefox → Core
The behaviour of opening in a new tab *and* opening in the existing tab seems odd.

Does this reproduce with a clean profile?
Flags: needinfo?(strelkov355)
Whiteboard: btpp-followup-2016-04-11
(In reply to Andrew Overholt [:overholt] from comment #1)
> The behaviour of opening in a new tab *and* opening in the existing tab
> seems odd.
> 
> Does this reproduce with a clean profile?

I'm remove add-ons (NoScript and TabMix), result the same. Yes, it's very odd.
Flags: needinfo?(strelkov355)
I can't reproduce with "site:stackoverflow.com html" as my search query.

This feels like a site bug or maybe some add-on you don't know you have?

I'm not sure there's much else we can do if reproduction isn't possible.
Flags: needinfo?(strelkov355)
(In reply to Andrew Overholt [:overholt] from comment #3)
> I can't reproduce with "site:stackoverflow.com html" as my search query.

"Search "site:justporno.tv Dont be shy its just porn"...".
This bug appear only in justporno.tv site. Or, more like, justporno.tv use some strange vulnerability.

> This feels like a site bug or maybe some add-on you don't know you have?

I'm also testing this bug in Debian Mate 8.3 Live CD (amd64 platform). Yes, I'm sure that official LiveCD can't contain any odd add-ons.
Flags: needinfo?(strelkov355)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.