Closed
Bug 136081
Opened 22 years ago
Closed 22 years ago
If pop-ups are disable this page is able to close the browser window
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
People
(Reporter: tuxracer, Assigned: security-bugs)
References
()
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux 2.4; en-US; rv:0.9.9) BuildID: 2002040103 If you have "[Allow JavaScript to] open unrequested windows" unchecked in your Javascript preferences and you goto http://daoc.warcry.com/ the page is able to close your browser window without permission. There should be an option to disable a website's ability to close your browser windows without permission just as there is an option to disable a website's ability to /open/ a window without permission. Reproducible: Always Steps to Reproduce: 1. Uncheck "open unrequested windows" in your Scripts & Windows preferences 2. Goto http://daoc.warcry.com/ 3. Notice you get a box blabbering about how you need to enable pop-ups then your browser window closes. Actual Results: Your browser window is forced to close. Expected Results: You should have been asked permission of whether or not to allow the website to close your browser window /or/ given the option to disable a website's ability to close your browser window in the Scripts & Windows settings. The following code is what I believe is the problem, it is located in the body: <script> <!-- Ch2 = 0; // --> </script> <script> <!-- PopUp = window.open('http://localhost','PopUpWindow','width=1,height=1,top=32767,left=32767,scrollbars=0,directories=0,menus=0,resizeable=0,status=0,toolbar=0'); Checker = PopUp.parent; PopUp.close(); Ch2 = Checker; // --> </script> <script LANGUAGE="JavaScript" src="http://www.popuptraffic.com/assign.php?l=warcry&mode=behind"> </script> <script LANGUAGE="JavaScript" src="http://www.popuptraffic.com/assign.php?l=warcry"> </script> <noscript> <meta http-equiv=refresh content='0;url=http://localhost/'> </noscript> <script> <!-- if(Ch2) { expireDate = new Date; expireDate.setMonth(expireDate.getMonth()+6); document.write("<img src='http://warcry.com/scripts/set_global.php?name=popups_disabled&value=1018214994' height=1 width=1>"); document.write("<img src='http://xrgaming.net/scripts/set_global.php?name=popups_disabled&value=1018214994' height=1 width=1>"); document.cookie = "popups_disabled="+1018214994+";expires="+expireDate.toGMTString()+";path=/"; Ch3=0; } else { Ch3=1; } // --> </script> <script> <!-- if(Ch3) { alert("Due to high bandwidth costs, the Warcry Network has been forced to introduce popup advertisements. Without these advertisements, we earn no income to pay for the servers, and will be forced to shut down.\n\nTo continue to visit our sites, please disable any additional programs you may run that prevent our advertisements from displaying, and we'll do our best to make sure that they are only an occasional annoyance and not a serious problem.\n\nThank you for your support."); window.close(); } // --> </script>
Comment 1•22 years ago
|
||
Browser, not engine. Reassigning to Browser-General for help on this. I notice have this line in (path to Mozilla)/bin/defaults/pref/all.js: pref("capability.policy.default.Window.close", "allAccess"); Is that what the user would change in order to block window.close()? If so, what value should replace "allAccess", just "noAccess"? Also - is there a GUI interface for this, or must it be done by hand in all.js?
Assignee: rogerl → Matti
Component: JavaScript Engine → Browser-General
QA Contact: pschwartau → imajes-qa
Comment 2•22 years ago
|
||
related bugs : bug 32571 (and bug 103452) -> Security
Assignee: Matti → mstoltz
Component: Browser-General → Security: General
QA Contact: imajes-qa → bsharma
Assignee | ||
Comment 3•22 years ago
|
||
bug 32571 should fix this issue, so marking dup. That fix will prevent a script from closing windows that were not opened by script. We could add an option under Scripts and Windows to block all window.close(), but I think that's less useful, and I don't want to clutter that pref panel. Please let me know if you disagree. *** This bug has been marked as a duplicate of 32571 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 4•22 years ago
|
||
Sounds great, I didn't even think of that. Yeah, because most scripts use window.close() for legitimate purposes, so it would be better not to just disable that all together I just didn't think of something like that. Also those who /really/ want to block that can just menually add user_pref("capability.policy.default.Window.close", "noAccess"); to their prefs.js file. Thanks much!
You need to log in
before you can comment on or make changes to this bug.
Description
•