Closed
Bug 138077
Opened 22 years ago
Closed 22 years ago
non javascript generated window can be closed without confirmation
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: svl-bmo, Assigned: jst)
References
()
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.9) Gecko/20020311 BuildID: 2002031104 Malicious sites can close your browser window with window.close (losing all your tabs) without the regular confirmation dialog appearing. Reproducible: Always Steps to Reproduce: 1. Visit http://www.digitalcurse.com/shinter/ 2. Click the red launch button. Actual Results: Your original window closes without asking for permission. Expected Results: A request window should appear, asking you for permission to close the window. The website uses malicious (though somewhat clever) javascript to fool Mozilla into believing the window was actually created by a javascript and may thus be 'safely' closed without asking for permission. when you have a few dozen tabs open, this is extremely annoying (though the bug on limiting the scope of window.close should take care of the worst of this problem) function fatherclose() { father = window.self; father.opener = window.self; father.close(); } Not knowing any of the underlying code, it seems to me that the solution consist of having the determination on how a window was created be made before any javascript on the page is executed, and from then on be impossible to change.
*high embarassment mode* oops -> invalid For some reason I was under the mistaken impression that mozilla did usually ask for confirmation. But of course as seen by bug 32571 it doesn't (at least not in 0.9.9) - not certain how this would be handled with a correct patch for that applied, but right now I certainly shouldn't expect a confirmation dialog.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•