Open Bug 1316857 Opened 8 years ago Updated 2 years ago

A page opened via target="_blank" containing window.close(), will be able to close your browser tab.

Categories

(Core :: DOM: Navigation, defect, P2)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

People

(Reporter: gianluca.guarini, Unassigned, NeedInfo)

References

(
URL
)

Details

(Keywords: testcase) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20161110004022

Steps to reproduce:

Any page linked by a link with the target="_blank" attribute and containing a window.close(), will be able to close your tab.

I made a github repo to demonstrate the issue https://github.com/dreipol/firefox-window-close-bug



Actual results:

The browser tab gets closed using `window.close()` even if the page was never opened via script 


Expected results:

According to the specs (https://developer.mozilla.org/en-US/docs/Web/API/Window/close) a window.close call should be able to close windows that were only opened by a script using the window.open() method
URL: https://github.com/dreipol/firefox-wi...
OS: Unspecified → Mac OS X
I can reproduce on win10 and Ubunto16.04
Status: UNCONFIRMED → NEW
Component: Security → Document Navigation
Ever confirmed: true
OS: Mac OS X → All
Version: 51 Branch → Trunk
Should this be possible per-spec?
Flags: needinfo?(annevk)
Per https://html.spec.whatwg.org/multipage/browsers.html#dom-window-close I think it should be.
Flags: needinfo?(annevk)
So this info is wrong at this point:

> [1] Starting in Firefox 46.0.1, Window.close() can no longer close windows that weren't opened by the same script. This is a security precaution.
(In reply to gianluca.guarini from comment #4)
> So this info is wrong at this point:
> 
> > [1] Starting in Firefox 46.0.1, Window.close() can no longer close windows that weren't opened by the same script. This is a security precaution.

This change (well, with s/46/35/) was added in https://developer.mozilla.org/en-US/docs/Web/API/Window/close$revision/735053 by https://developer.mozilla.org/en-US/profiles/zetta. Sheppy, what should we do with the docs here?
Flags: needinfo?(eshepherd)
(In reply to Anne (:annevk) from comment #3)
> Per https://html.spec.whatwg.org/multipage/browsers.html#dom-window-close I
> think it should be.

I'm assuming we're going by the "or if it is a top-level browsing context whose session history contains only one Document." at https://html.spec.whatwg.org/multipage/browsers.html#script-closable  ? We don't seem to implement that otherwise, in the sense that opening a new tab, loading a page, and calling window.close() gets you the error referenced in the MDN message ("Scripts may not close windows that were not opened by script.")

If I had to guess, then I would suspect that our implementation does not actually implement the spec and the only reason this behaviour is "per" spec is that we're treating window.open() with _blank and a user clicking a link that has _blank as identical, and so we treat the window (tab) as being "created by script" (the first clause in the spec). Which still feels like something we should fix (in addition to implementing the second part of the spec about toplevel no-history browser contexts). Boris, do you know how we handle this stuff?
Flags: needinfo?(bzbarsky)
Blocks: 1333599
The way we implement it has little to do with the spec, the spec may or may not have anything to do with how other browsers implement this, and the spec may or may not be web-compatible.

What we do is close() is allowed to close windows if they ever had a window.opener.  Which the target="_blank" case does, hence it's allowed to be closed.

It wouldn't be too hard to record whether the window was opened "by script" or not, actually.  But we'd definitely need to at least implement the "no session history" bit to not break the web, last I checked..

In any case, the first step here is to write some careful tests and see what various different browsers do in different situations.
Flags: needinfo?(bzbarsky)
Blocks: 1353466
Using "window.opener" as our signal is also causing bug 1353466. We should add a special-purpose "was opened by script" flag rather than trying to hint at it with whether there's an opener.
Priority: -- → P2
Hey Samael, you've been working on other window.opener and session history issues, would you please help with this as well?
Flags: needinfo?(sawang)
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #7)
> It wouldn't be too hard to record whether the window was opened "by script"
> or not, actually.  But we'd definitely need to at least implement the "no
> session history" bit to not break the web, last I checked..
> 
> In any case, the first step here is to write some careful tests and see what
> various different browsers do in different situations.

Made a quick simple test for the script-closable part on Chrome & Edge: 
http://freesamael.github.io/gecko/browsing-context/window-close/opener.html

Looks that Chrome allows script close if no session history, whether it's opened by script or a link. And allows script close if the page has an opener when session history contains more than 1 doc.

Edge always allows script close if it's opened by script, and always prompt for close with "The site you're on is trying to close this tab. Do you want to close this tab?" if it's opened by a link.

I didn't find test cases specifically for script-closable in web-platform-test. I'll try to add some. And I think I should check if "Window.close() can no longer close windows that weren't opened by the same script." was ever implemented in firefox.
Assignee: nobody → sawang
Flags: needinfo?(sawang)
Assignee: freesamael → nobody
(In reply to Samael Wang [:freesamael] (away for now) from comment #10)
> Made a quick simple test for the script-closable part on Chrome & Edge: 
> http://freesamael.github.io/gecko/browsing-context/window-close/opener.html

That page is 404 File not found.

- - - - 

Just in case... albeit I am not sure if this helps:

Closing tab instances or single-tab windows not opened by javascript
http://www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/ClosingWindowsNotOpenedByJS.html

Closing tab instances or single-tab windows not opened by javascript
http://www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/ClosingWindowsNotOpenedByJS-2.html

- - - -

A window.close() test involving a javascript-initiated window whose session history contains only one document has never been created as far as I can say.

- - - - 

(In reply to gianluca.guarini from comment #0)
> I made a github repo to demonstrate the issue
> https://github.com/dreipol/firefox-window-close-bug

Gianluca,

I created your test here:

http://www.gtalbot.org/BugzillaSection/Bug1316857-window.close-target_blank-parent.html

and created

http://www.gtalbot.org/BugzillaSection/Bug1316857-window.close-target_blank-child.html
Keywords: testcase
Hardware: Unspecified → All
See Also: → 1643450
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.