Closed
Bug 132924
Opened 22 years ago
Closed 22 years ago
JS function window.close() is too easily abused
Categories
(Core :: Security: CAPS, defect)
Tracking
()
People
(Reporter: josephgrossberg, Assigned: security-bugs)
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311 BuildID: 2002031115 in any page, you can put the JS function window.close() and it will close the browser: * without any prompting * regardless of whether or not the window was opened by JS in the first place I see a serious potential for abuse; for example, a site could open a porn/ad popup and then close the parent browser window (losing all the history, other open tabs, etc.). Reproducible: Always Steps to Reproduce: 1. make a blank HTML page 2. put BODY onLoad="window.close()" 3. try to load the page in your browser Actual Results: it appears for a split-second and then the browser closes Expected Results: it should fail, it should throw a JS error or something in between (maybe an OK/Cancel dialogue box?)
Comment 1•22 years ago
|
||
Reassigning to Security: CAPS for consideration -
Assignee: rogerl → mstoltz
Component: JavaScript Engine → Security: CAPS
QA Contact: pschwartau → bsharma
Comment 2•22 years ago
|
||
Confirming for consderation. Joe, could you make a reduced testcase and attach it to this bug via the "Create a New Attachment" link above? Thanks, that will speed things along -
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 3•22 years ago
|
||
This should be taken care of by bug 103452 (javascript window.close should close tab, not complete browser window) and bug 32571 (close() can close windows it doesn't own).
Comment 4•22 years ago
|
||
*** This bug has been marked as a duplicate of 32571 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•