Closed
Bug 1310659
Opened 9 years ago
Closed 8 years ago
Limit number of window.open() allowed by a single user interaction.
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 675574
People
(Reporter: cs.anurag.jain, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-dos, hang, Whiteboard: [sg:dos])
Attachments
(1 file)
|
9.06 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Steps to reproduce:
1) If you pass multiple window.open on a single link click then Firefox opens up all the links mentioned in window.open
2) Open up a.html
3) Click on link "Click Me"
4) Firefox would hang or go very slow until it could open the 280 tabs (spam website could go more than 500 which could make this more problematic)
5) If you forcefully close firefox then on reopening it will again try to load the 280 tabs.
Actual results:
Firefox hangs and the only option for user is to close it using task manager. User will lose any side work he was doing in firefox
Expected results:
Other browser like Chrome only opens up the first link mentioned in window.open
For example in attached a.html it would only open 2 tabs (hello.com & Desktop/facebook.com) instead of 280 tabs
|
||
Updated•9 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
||
Comment 1•9 years ago
|
||
The spec doesn't put any limits on the code, but limiting the number of window.open()--not spec compliant--is probably a good practical defense against internet trolls.
Blocks: eviltraps
Group: dom-core-security
Keywords: csectype-dos,
hang
Summary: Firefox follows all window.open mentioned in onclick of a link → Limit number of window.open() allowed by a single user interaction.
Whiteboard: [sg:dos]
|
||
Comment 2•9 years ago
|
||
It sounds a nice enhancement; any concerns if we take the same way as chrome?
Flags: needinfo?(bugs)
|
||
Comment 3•9 years ago
|
||
Not concerns but need to figure out what all can be done per one interaction. Like, is it possible to open a new window and a file picker? Or only just one thing, like new window.
Flags: needinfo?(bugs)
Just realized this bug could also be used by an attacker to cause DDOS over any website by mentioning that sitename several times on window.open
When victim opens up the link, his network will start acting as an attack node sending several request to victim website. Even if user realizes the attack which is very unlikely it would be difficult to shutdown the attack since full firefox is freeze.
If you agree can we move this to valid security issue by updating the group again with dom-core-security instead of just dos
|
||
Comment 5•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #3)
> Not concerns but need to figure out what all can be done per one
> interaction. Like, is it possible to open a new window and a file picker? Or
> only just one thing, like new window.
In Chrome, if there has a new window and a file picker, it only opens a new window.
I also found a case. If you open up a.html which contains a link "Click Me", and it opens b.html which has a onload function and it does window.open a different website and itself. It will create a infinite window.open loop. Currently, it's prevented by browser pop-up windows blocker. If user allows pop-up, this symptom will show up immediately both in Chrome and Firefox. I'm not sure that it is in this bug scope.
|
|
||
Updated•9 years ago
|
Priority: -- → P3
|
||
Comment 6•9 years ago
|
||
If a malicious page tries to open many popups rather than tabs, our popup blocker will prevent the page from opening those popups. Probably we should apply the same limit to tabs.
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•