Open
Bug 1316857
Opened 8 years ago
Updated 2 years ago
A page opened via target="_blank" containing window.close(), will be able to close your browser tab.
Categories
(Core :: DOM: Navigation, defect, P2)
Core
DOM: Navigation
Tracking
()
NEW
People
(Reporter: gianluca.guarini, Unassigned, NeedInfo)
References
()
Details
(Keywords: testcase)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20161110004022 Steps to reproduce: Any page linked by a link with the target="_blank" attribute and containing a window.close(), will be able to close your tab. I made a github repo to demonstrate the issue https://github.com/dreipol/firefox-window-close-bug Actual results: The browser tab gets closed using `window.close()` even if the page was never opened via script Expected results: According to the specs (https://developer.mozilla.org/en-US/docs/Web/API/Window/close) a window.close call should be able to close windows that were only opened by a script using the window.open() method
Reporter | ||
Updated•8 years ago
|
OS: Unspecified → Mac OS X
Comment 1•8 years ago
|
||
I can reproduce on win10 and Ubunto16.04
Status: UNCONFIRMED → NEW
Component: Security → Document Navigation
Ever confirmed: true
OS: Mac OS X → All
Version: 51 Branch → Trunk
Comment 3•8 years ago
|
||
Per https://html.spec.whatwg.org/multipage/browsers.html#dom-window-close I think it should be.
Flags: needinfo?(annevk)
Reporter | ||
Comment 4•8 years ago
|
||
So this info is wrong at this point:
> [1] Starting in Firefox 46.0.1, Window.close() can no longer close windows that weren't opened by the same script. This is a security precaution.
Comment 5•8 years ago
|
||
(In reply to gianluca.guarini from comment #4) > So this info is wrong at this point: > > > [1] Starting in Firefox 46.0.1, Window.close() can no longer close windows that weren't opened by the same script. This is a security precaution. This change (well, with s/46/35/) was added in https://developer.mozilla.org/en-US/docs/Web/API/Window/close$revision/735053 by https://developer.mozilla.org/en-US/profiles/zetta. Sheppy, what should we do with the docs here?
Flags: needinfo?(eshepherd)
Comment 6•7 years ago
|
||
(In reply to Anne (:annevk) from comment #3) > Per https://html.spec.whatwg.org/multipage/browsers.html#dom-window-close I > think it should be. I'm assuming we're going by the "or if it is a top-level browsing context whose session history contains only one Document." at https://html.spec.whatwg.org/multipage/browsers.html#script-closable ? We don't seem to implement that otherwise, in the sense that opening a new tab, loading a page, and calling window.close() gets you the error referenced in the MDN message ("Scripts may not close windows that were not opened by script.") If I had to guess, then I would suspect that our implementation does not actually implement the spec and the only reason this behaviour is "per" spec is that we're treating window.open() with _blank and a user clicking a link that has _blank as identical, and so we treat the window (tab) as being "created by script" (the first clause in the spec). Which still feels like something we should fix (in addition to implementing the second part of the spec about toplevel no-history browser contexts). Boris, do you know how we handle this stuff?
Flags: needinfo?(bzbarsky)
Comment 7•7 years ago
|
||
The way we implement it has little to do with the spec, the spec may or may not have anything to do with how other browsers implement this, and the spec may or may not be web-compatible. What we do is close() is allowed to close windows if they ever had a window.opener. Which the target="_blank" case does, hence it's allowed to be closed. It wouldn't be too hard to record whether the window was opened "by script" or not, actually. But we'd definitely need to at least implement the "no session history" bit to not break the web, last I checked.. In any case, the first step here is to write some careful tests and see what various different browsers do in different situations.
Flags: needinfo?(bzbarsky)
Comment 8•7 years ago
|
||
Using "window.opener" as our signal is also causing bug 1353466. We should add a special-purpose "was opened by script" flag rather than trying to hint at it with whether there's an opener.
Updated•7 years ago
|
Priority: -- → P2
Comment 9•7 years ago
|
||
Hey Samael, you've been working on other window.opener and session history issues, would you please help with this as well?
Flags: needinfo?(sawang)
Comment 10•7 years ago
|
||
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #7) > It wouldn't be too hard to record whether the window was opened "by script" > or not, actually. But we'd definitely need to at least implement the "no > session history" bit to not break the web, last I checked.. > > In any case, the first step here is to write some careful tests and see what > various different browsers do in different situations. Made a quick simple test for the script-closable part on Chrome & Edge: http://freesamael.github.io/gecko/browsing-context/window-close/opener.html Looks that Chrome allows script close if no session history, whether it's opened by script or a link. And allows script close if the page has an opener when session history contains more than 1 doc. Edge always allows script close if it's opened by script, and always prompt for close with "The site you're on is trying to close this tab. Do you want to close this tab?" if it's opened by a link. I didn't find test cases specifically for script-closable in web-platform-test. I'll try to add some. And I think I should check if "Window.close() can no longer close windows that weren't opened by the same script." was ever implemented in firefox.
Assignee: nobody → sawang
Flags: needinfo?(sawang)
Updated•6 years ago
|
Assignee: freesamael → nobody
Comment 11•6 years ago
|
||
(In reply to Samael Wang [:freesamael] (away for now) from comment #10) > Made a quick simple test for the script-closable part on Chrome & Edge: > http://freesamael.github.io/gecko/browsing-context/window-close/opener.html That page is 404 File not found. - - - - Just in case... albeit I am not sure if this helps: Closing tab instances or single-tab windows not opened by javascript http://www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/ClosingWindowsNotOpenedByJS.html Closing tab instances or single-tab windows not opened by javascript http://www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/ClosingWindowsNotOpenedByJS-2.html - - - - A window.close() test involving a javascript-initiated window whose session history contains only one document has never been created as far as I can say. - - - - (In reply to gianluca.guarini from comment #0) > I made a github repo to demonstrate the issue > https://github.com/dreipol/firefox-window-close-bug Gianluca, I created your test here: http://www.gtalbot.org/BugzillaSection/Bug1316857-window.close-target_blank-parent.html and created http://www.gtalbot.org/BugzillaSection/Bug1316857-window.close-target_blank-child.html
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•