Closed
Bug 144726
Opened 23 years ago
Closed 21 years ago
Can use form.submit() to circumvent popup blocking, window.open() prefs
Categories
(SeaMonkey :: UI Design, defect)
SeaMonkey
UI Design
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 210560
Future
People
(Reporter: jnerin, Assigned: shliang)
References
()
Details
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc2) Gecko/20020510
BuildID: 2002051009
If you open the page http://redvip.homelinux.net/popup.html a new popup is
launched althougth it shouldn't as I have it not allowed in my preferences.
Reproducible: Always
Steps to Reproduce:
1.go to http://redvip.homelinux.net/popup.html
2.wait until it finishes loading
3.see for yourself
Actual Results: A new popup window is launched
Expected Results: nothing, I have not allowed to open new windows to the scripts.
The code responsible for this is the next one:
<script LANGUAGE="JavaScript">
self.defaultStatus = "Done";
</SCRIPT>
<script language=JavaScript>
<!--//
function loadpopup()
{
document.flauncher.submit();
focus();
setTimeout('focus()',2000);
}
// -->
</script>
<body onLoad='loadpopup()'>
<form name='flauncher' action='http://redvip.homelinux.net/popup2.html'
target='adv' method='get' onSubmit='focus();'>
</form>
Comment 1•23 years ago
|
||
Confirming.
I experience this too, unless I also uncheck "Open a link in a new window" in
addition to "Open unrequested windows" in Preferences > Advanced > Scripts &
Windows.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•23 years ago
|
||
Sorry, the link is opening due to the "target" on the form, not because of
anything the JS does. So in fact "Open a link in a new window" is the pref that
should control it.
The fact that we should have a _single_ checkbox that toggles both prefs is a
separate issue, already filed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
Comment 3•23 years ago
|
||
Verified Invalid with Mozilla trunk binary 2002051408 on WinNT.
Unchecking "Open a link in a new window" pref stops the new window.
This does get confusing, because there are so many variations.
Jorge: you might like to cc yourself on bug 115353,
"Clean up UI and Wording for Scripts and Windows Pref"
The idea there is to make the user interface clearer on these issues.
Status: RESOLVED → VERIFIED
Comment 4•23 years ago
|
||
I don't agree that this bug is invalid.
> Sorry, the link is opening due to the "target" on the form,
> not because of anything the JS does.
The JS submits the form and hence opens the window.
> So in fact "Open a link in a new window" is the pref that
> should control it.
There are no links involved here. The user opens the page. On load a JS function
is called, which opens the window. The fact that it is opened using submit() on
a form with a named target instead of window.open() doesn't make any difference
to the user.
If JS is able to open windows using form.submit() even though "Open unrequested
windows" is unchecked, then this option doesn't make much sense at all, because
it is easily circumvented. The "popup spammer" could just replace all
window.open() calls with form.submit(). He may not be able to specify whether
the window should have toolbars etc., but he /is/ still able to open a window.
> The fact that we should have a _single_ checkbox that toggles
> both prefs is a separate issue, already filed.
If the two options are merged into one checkbox, this discussion is no longer
relevant. Will this actually happen or is it only being discussed? Could you
provide a bug # ?
Reporter | ||
Comment 5•23 years ago
|
||
I know that unchecking "Open a link in a new window" pref stops the new window,
but then the page changes to the "popup" one, I think the correct way of doing
this is to ignore the form submit like if it was a timed popup.
As it has been said it's easy for a webmaster to change it's popups to be this
way, defeating this javascript preference, in fact I got this code from a
working popup.
Comment 6•23 years ago
|
||
I think there's enough interest in this bug to reopen it for discussion,
but this is in no way a JavaScript Engine issue. I will reassign to
the Browser-General component, and resummarize as per Comment #4.
Status: VERIFIED → REOPENED
Resolution: INVALID → ---
Summary: A new popup window is open although it's not permited in scripts preferences → Can use form.submit() to circumvent window.open() prefs
Comment 7•23 years ago
|
||
Reassigning to Browser-General for further discussion either way
on this issue -
Assignee: rogerl → Matti
Status: REOPENED → NEW
Component: JavaScript Engine → Browser-General
QA Contact: pschwartau → imajes-qa
Comment 8•23 years ago
|
||
-> Caps
Assignee: Matti → mstoltz
Component: Browser-General → Security: CAPS
QA Contact: imajes-qa → bsharma
Updated•23 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.1beta
Comment 9•23 years ago
|
||
*** Bug 146297 has been marked as a duplicate of this bug. ***
Comment 10•23 years ago
|
||
Although it is not a 'bug' in the Javascript Engine, it still defeats the
purpose of the popup-blocker.
I want to be able to open new windows if I click on a link. I do *not* want new
windows to open if I do *not* click on the link that opens the window myself!
This code opens a new window that is definitely 'unrequested' - so it should (if
at all possible) be blocked if a user has 'Open unrequested windows' disabled.
My idea how to fix this (I don't know how Mozilla works internally though, so
have no idea how hard this would be to implement): If the 'Open unrequested
windows' function is disabled, Javascript should not be able to submit forms
that have a not-yet-existing target (i.e. one that will open in a new windows).
This should be possible to do: the Javascript Engine knows which form it's going
to submit, so it can lookup it's target, and check whether that is an existing
window or frame.
Am I making sense here?
Comment 11•23 years ago
|
||
So you're saying that the "open link in new window" pref and the "open
unrequested windows" pref should be a single pref, basically? Yes, that's true.
Also see bug 126224 and bug 132031.
Comment 12•22 years ago
|
||
*** Bug 140239 has been marked as a duplicate of this bug. ***
Comment 13•22 years ago
|
||
*** Bug 152073 has been marked as a duplicate of this bug. ***
Comment 14•22 years ago
|
||
From dup bug 152073: if you uncheck the "allow web pages to open a link in a new
window" pref, the form submits to the same window instead of a new window. That
would make sense if the form submit had been triggered by the user, but in this
case it means that an advertisement replaces the page.
Comment 15•22 years ago
|
||
> So you're saying that the "open link in new window" pref and the "open
> unrequested windows" pref should be a single pref, basically?
Absolutely not. There is a difference between CLICKING a link that has a
"_blank" target, and a JS that does it "for me". As was said in comment #10 I
want to be able to click links and have a popup happen WHEN I CLICK, not when I
didn't do anything.
doubleclick is already exploiting this. Take a look at bug 158462. The JS taken
from the NY Times site where the doubleclick ad is located:
<script name="javascript">
<!--
function submitCCCForm()
{
PopUp = window.open('',
'_Icon','location=no,toolbar=no,status=no,width=650,height=550,scrollbars=yes,resizable=yes');
this.document.cccform.submit();
}
// -->
</script>
Comment 16•22 years ago
|
||
*** Bug 152007 has been marked as a duplicate of this bug. ***
Comment 18•22 years ago
|
||
*** Bug 164399 has been marked as a duplicate of this bug. ***
Updated•22 years ago
|
OS: Linux → All
Hardware: PC → All
Comment 19•22 years ago
|
||
This is strange. I do not see any pop-up at all !
Maybe because 1.1 branch is not concerned ?
OS: All → Linux
Hardware: All → PC
Comment 20•22 years ago
|
||
More descriptive URL:
http://zetafleet.com/dev/bug/popup/index.shtml
(I do not have sufficient user rights to change the address)
Problem may have been resolved in nightly builds since 1.1b, but two nights' ago
build rendered Mozilla non-functional for me, and as such, I have been unable to
upgrade to a version later than 20020721.
Comment 21•22 years ago
|
||
*** Bug 167719 has been marked as a duplicate of this bug. ***
Comment 22•22 years ago
|
||
*** Bug 166953 has been marked as a duplicate of this bug. ***
Comment 23•22 years ago
|
||
I just ran into this behavior myself, and did enough bugzilla'ing to find this
report. Maybe "popup" should be added to the summary to head off more dupes?
I'm running Mozilla 1.2b
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021016
The text of the Javascript is exactly the same (right down to "flauncher") of
the original reporter.
Comment 24•22 years ago
|
||
Following Todd's suggestion, added "popup blocking" to summary -
Summary: Can use form.submit() to circumvent window.open() prefs → Can use form.submit() to circumvent popup blocking, window.open() prefs
Comment 25•22 years ago
|
||
http://www.popupad.net/ advertising site that uses this trick
Comment 26•22 years ago
|
||
I'm using 1.3b, this problem still exists
http://www.land.ee/d_nimo_codec.html also uses this trick to do pop-ups.
Perhaps this is not just a pop-up issue. But an issue regarding the security of
allowing a webpage to call form.submit without the user taking any action to do so.
What reason would a website have to call a form.submit in the body onLoad beyond
spam / malicious actions?
Comment 27•22 years ago
|
||
> What reason would a website have to call a form.submit in the body onLoad
> beyond spam / malicious actions?
Try the "bugzilla" form at http://www.cs.hmc.edu/~jruderma/s/ . Calling
form.submit in onload is legit; opening a new window with an onload form.submit
is not.
Comment 28•22 years ago
|
||
But that page just takes data entered in a form, then creates another page,
processes the data in the URL, and then posts it in another form. It could
easily be done in just one page without that second auto-submit. Even with forms
requiring POST data rather than GET, it's still easy to do it all on one page.
Anyways... what's the fix? If form submit is called during the onLoad event,
then do not listen to the 'target' tag, open the page in the current window...
Also... to show the evil this issue can cause (make sure you've saved all your
data, cause this is going to kill Mozilla):
http://theedgeofforever.com/test.html
Comment 29•22 years ago
|
||
"Anyways... what's the fix? If form submit is called during the onLoad event,
then do not listen to the 'target' tag, open the page in the current window..."
Oh my, no, I think that would be even worse then the current situation!!
Imagine visiting a site that uses this popup 'trick', in that case the popup-ad
would replace the page you're looking at! That would, IMHO, even be several
orders of magnitude more annoying than getting the occasional popup window.
I think that when a page is submitted during javascript onLoad() with a
non-existing target (i.e. not the name one of the existing frames, but _BLANK or
some non-existing target that will make Mozilla open a new window), the submit
should just be thoroughly ignored.
That is, if the 'open unrequested windows' option is disabled in the prefs,
ofcourse.
I have made a small test-page at http://www.havinga.nu/popup.html . In my
opinion, this 'bug' will be fixed when the code on that page doesn't make the
Mozilla.org site pop up anymore. It *definitely* shouldn't be opening
Mozilla.org in the current window (overwriting whatever page you where viewing).
Comment 30•22 years ago
|
||
Mike Odom: http://www.cs.hmc.edu/~jruderma/quicksearch.html (the page that uses
form.submit onload) allows http://www.cs.hmc.edu/~jruderma/s/ to load more
quickly, and it allows me to make and use a "bug search" bookmarklet.
Comment 31•22 years ago
|
||
I'm using 1.3 and this problem has bitten me. I agree with previous posters
that having a form automatically submit (to generate a popup) without any
warning is a security issue.
Comment 32•22 years ago
|
||
this BUG annoys me too... very very much.
here's my suggestion for a fix:
instead of having this page submit automatically, when the line
"document.flauncher.submit();" is executed AND the form itself has either
"target='_new'" or "target='some_window_that_does_not-exist'", i think that the
form should not be submitted. Instead, a button should appear, maybe on the
taskbar or next to the title on the tab at the top. When you click on this
button, the form would finish submitting. The tooltip for this button should say
"A form submission was stopped. Click here to submit it now.". That way, no
functionality would be lost, and unauthorized popups would not occur.
Comment 33•22 years ago
|
||
*** Bug 202582 has been marked as a duplicate of this bug. ***
Comment 34•22 years ago
|
||
*** Bug 202920 has been marked as a duplicate of this bug. ***
Comment 35•22 years ago
|
||
*** Bug 203348 has been marked as a duplicate of this bug. ***
Comment 36•22 years ago
|
||
*** Bug 204315 has been marked as a duplicate of this bug. ***
Comment 37•22 years ago
|
||
*** Bug 204361 has been marked as a duplicate of this bug. ***
Comment 38•22 years ago
|
||
*** Bug 206535 has been marked as a duplicate of this bug. ***
Comment 39•22 years ago
|
||
*** Bug 206493 has been marked as a duplicate of this bug. ***
Updated•22 years ago
|
OS: Linux → All
Hardware: PC → All
Comment 40•22 years ago
|
||
Moving Popup Blocking bugs to XPApps, assigning to shliang
Assignee: mstoltz → shliang
Status: ASSIGNED → NEW
Component: Security: CAPS → XP Apps
Comment 41•21 years ago
|
||
*** Bug 208830 has been marked as a duplicate of this bug. ***
Comment 42•21 years ago
|
||
*** Bug 210474 has been marked as a duplicate of this bug. ***
Comment 43•21 years ago
|
||
*** Bug 211597 has been marked as a duplicate of this bug. ***
Comment 44•21 years ago
|
||
*** Bug 211659 has been marked as a duplicate of this bug. ***
Comment 45•21 years ago
|
||
The fix for bug 104470 might provide a clue for how to fix this bug.
Comment 46•21 years ago
|
||
Interested folks should upgrade to a trunk build post 20030625 for the fix.
*** This bug has been marked as a duplicate of 210560 ***
Status: NEW → RESOLVED
Closed: 23 years ago → 21 years ago
Resolution: --- → DUPLICATE
Updated•20 years ago
|
Blocks: pop-up-arms-race
Updated•20 years ago
|
Product: Core → Mozilla Application Suite
You need to log in
before you can comment on or make changes to this bug.
Description
•