A page opened via target="_blank" containing window.close(), will be able to close your browser tab.

NEW
Unassigned

Status

()

Core
Document Navigation
P2
normal
a year ago
2 days ago

People

(Reporter: gianluca.guarini, Unassigned, NeedInfo)

Tracking

(Blocks: 2 bugs)

Trunk
Unspecified
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20161110004022

Steps to reproduce:

Any page linked by a link with the target="_blank" attribute and containing a window.close(), will be able to close your tab.

I made a github repo to demonstrate the issue https://github.com/dreipol/firefox-window-close-bug



Actual results:

The browser tab gets closed using `window.close()` even if the page was never opened via script 


Expected results:

According to the specs (https://developer.mozilla.org/en-US/docs/Web/API/Window/close) a window.close call should be able to close windows that were only opened by a script using the window.open() method
(Reporter)

Updated

a year ago
OS: Unspecified → Mac OS X

Comment 1

a year ago
I can reproduce on win10 and Ubunto16.04
Status: UNCONFIRMED → NEW
Component: Security → Document Navigation
Ever confirmed: true
OS: Mac OS X → All
Version: 51 Branch → Trunk
Should this be possible per-spec?
Flags: needinfo?(annevk)

Comment 3

a year ago
Per https://html.spec.whatwg.org/multipage/browsers.html#dom-window-close I think it should be.
Flags: needinfo?(annevk)
(Reporter)

Comment 4

a year ago
So this info is wrong at this point:

> [1] Starting in Firefox 46.0.1, Window.close() can no longer close windows that weren't opened by the same script. This is a security precaution.
(In reply to gianluca.guarini from comment #4)
> So this info is wrong at this point:
> 
> > [1] Starting in Firefox 46.0.1, Window.close() can no longer close windows that weren't opened by the same script. This is a security precaution.

This change (well, with s/46/35/) was added in https://developer.mozilla.org/en-US/docs/Web/API/Window/close$revision/735053 by https://developer.mozilla.org/en-US/profiles/zetta. Sheppy, what should we do with the docs here?
Flags: needinfo?(eshepherd)

Comment 6

a year ago
(In reply to Anne (:annevk) from comment #3)
> Per https://html.spec.whatwg.org/multipage/browsers.html#dom-window-close I
> think it should be.

I'm assuming we're going by the "or if it is a top-level browsing context whose session history contains only one Document." at https://html.spec.whatwg.org/multipage/browsers.html#script-closable  ? We don't seem to implement that otherwise, in the sense that opening a new tab, loading a page, and calling window.close() gets you the error referenced in the MDN message ("Scripts may not close windows that were not opened by script.")

If I had to guess, then I would suspect that our implementation does not actually implement the spec and the only reason this behaviour is "per" spec is that we're treating window.open() with _blank and a user clicking a link that has _blank as identical, and so we treat the window (tab) as being "created by script" (the first clause in the spec). Which still feels like something we should fix (in addition to implementing the second part of the spec about toplevel no-history browser contexts). Boris, do you know how we handle this stuff?
Flags: needinfo?(bzbarsky)
The way we implement it has little to do with the spec, the spec may or may not have anything to do with how other browsers implement this, and the spec may or may not be web-compatible.

What we do is close() is allowed to close windows if they ever had a window.opener.  Which the target="_blank" case does, hence it's allowed to be closed.

It wouldn't be too hard to record whether the window was opened "by script" or not, actually.  But we'd definitely need to at least implement the "no session history" bit to not break the web, last I checked..

In any case, the first step here is to write some careful tests and see what various different browsers do in different situations.
Flags: needinfo?(bzbarsky)
Using "window.opener" as our signal is also causing bug 1353466. We should add a special-purpose "was opened by script" flag rather than trying to hint at it with whether there's an opener.
Priority: -- → P2
Hey Samael, you've been working on other window.opener and session history issues, would you please help with this as well?
Flags: needinfo?(sawang)
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #7)
> It wouldn't be too hard to record whether the window was opened "by script"
> or not, actually.  But we'd definitely need to at least implement the "no
> session history" bit to not break the web, last I checked..
> 
> In any case, the first step here is to write some careful tests and see what
> various different browsers do in different situations.

Made a quick simple test for the script-closable part on Chrome & Edge: 
http://freesamael.github.io/gecko/browsing-context/window-close/opener.html

Looks that Chrome allows script close if no session history, whether it's opened by script or a link. And allows script close if the page has an opener when session history contains more than 1 doc.

Edge always allows script close if it's opened by script, and always prompt for close with "The site you're on is trying to close this tab. Do you want to close this tab?" if it's opened by a link.

I didn't find test cases specifically for script-closable in web-platform-test. I'll try to add some. And I think I should check if "Window.close() can no longer close windows that weren't opened by the same script." was ever implemented in firefox.
Assignee: nobody → sawang
Flags: needinfo?(sawang)
Assignee: freesamael → nobody
You need to log in before you can comment on or make changes to this bug.