Closed Bug 138077 Opened 22 years ago Closed 22 years ago

non javascript generated window can be closed without confirmation

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows 98
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: svl-bmo, Assigned: jst)

References

()

Details

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.9) Gecko/20020311
BuildID:    2002031104

Malicious sites can close your browser window with window.close (losing all your
tabs) without the regular confirmation dialog appearing.

Reproducible: Always
Steps to Reproduce:
1. Visit http://www.digitalcurse.com/shinter/
2. Click the red launch button.


Actual Results:  Your original window closes without asking for permission.

Expected Results:  A request window should appear, asking you for permission to
close the window.

The website uses malicious (though somewhat clever) javascript to fool Mozilla
into believing the window was actually created by a javascript and may thus be
'safely' closed without asking for permission. when you have a few dozen tabs
open, this is extremely annoying (though the bug on limiting the scope of
window.close should take care of the worst of this problem)

function fatherclose() {
 father = window.self;
 father.opener = window.self;
 father.close();
}

Not knowing any of the underlying code, it seems to me that the solution consist
of having the determination on how a window was created be made before any
javascript on the page is executed, and from then on be impossible to change.
*high embarassment mode*
oops
-> invalid
For some reason I was under the mistaken impression that mozilla did usually ask
for confirmation. But of course as seen by bug 32571 it doesn't (at least not in
0.9.9) - not certain how this would be handled with a correct patch for that
applied, but right now I certainly shouldn't expect a confirmation dialog. 
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.