Closed Bug 1411537 Opened 7 years ago Closed 7 years ago

"Resend Post-Data" message should be able to be skipped

Categories

(Core :: DOM: Navigation, defect, P3)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1412559

People

(Reporter: firefoxbugzilla, Unassigned)

Details

Attachments

(1 file)

PCAP of the enless loop code
59.36 KB, application/x-pcapng
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170928210252

Steps to reproduce:

I got onto a page that tried to scam me into downloading a "new version of firefox" and I was unable to close it.


Actual results:

I recently got onto a scam-page that I wasn't able to close because everytime I tried to close either the tab or the window, it asked me if I really wanted to close that page, and after that, tried to resend some hidden formular with POST, so the "resend post-data" message apperated. There were only two options: resend the page, which leads to the same page again, or close the browser, which then tried to asked me whether I really want to close that page or not and no matter what I did there, it tried re-sending the post-data and showing me that post-data-resend-dialog.


Expected results:

There should be an option, like in alert()-messages, that I do not want to see further dialogs from this page and just want to close it. Optimally, there should be an option that I never want to see that "do you really want to close this site?"-dialog again. This would take away another scammer's method to keep one on their site.
Component: Untriaged → Document Navigation
Product: Firefox → Core
(In reply to firefoxbugzilla from comment #0)
> User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
> Firefox/52.0
> Build ID: 20170928210252
> 
> Steps to reproduce:
> 
> I got onto a page that tried to scam me into downloading a "new version of
> firefox" and I was unable to close it.
> 
> 
> Actual results:
> 
> I recently got onto a scam-page that I wasn't able to close because
> everytime I tried to close either the tab or the window, it asked me if I
> really wanted to close that page, and after that, tried to resend some
> hidden formular with POST, so the "resend post-data" message apperated.
> There were only two options: resend the page, which leads to the same page
> again, or close the browser, which then tried to asked me whether I really
> want to close that page or not and no matter what I did there, it tried
> re-sending the post-data and showing me that post-data-resend-dialog.
> 
> 
> Expected results:
> 
> There should be an option, like in alert()-messages, that I do not want to
> see further dialogs from this page and just want to close it. Optimally,
> there should be an option that I never want to see that "do you really want
> to close this site?"-dialog again. This would take away another scammer's
> method to keep one on their site.

Does this meet what you expect ultimately?
https://support.mozilla.org/en-US/questions/1067058
Flags: needinfo?(firefoxbugzilla)
Priority: -- → P3
The workaround does not help the normal user against this kind of attack/annoyance.

PCAP included
See Also: → 1416345
According to the pcap, the site uses an iframe to POST a form and then make a reload in the redirected page. That matches the behavior of bug 1412559 and all duplicated bugs of it.

It looks this POST trick has been a common pattern across multiple spam sites, sadly we couldn't roll out the fix sooner.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(firefoxbugzilla)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: