Open Bug 1488995 Opened 4 years ago Updated 10 months ago

user navigation doesn't abort JS location navigation when JS alert() is open


(Core :: DOM: Core & HTML, defect, P5)

63 Branch




(Reporter: simonpatp, Unassigned)


(Blocks 1 open bug)



(1 file)

185 bytes, text/html
Attached file test.html
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180621121604

Steps to reproduce:

Trigger a JS alert() or confirm() modal dialog box from an http/https origin, that sets window.location after it is closed. When the dialog box is open, try navigating to a different site (eg. via the omnibox or a bookmark. (Attached minimal case must be served over http, such as `python3 -m http.server 3333`, as file:// doesn't seem to display the same behavior)

Actual results:

I am redirected to the window.location=".." url, and not the site I entered in the omnibox. The history shows [test.html,, test.html].

Expected results:

I should go to the site I entered in the omnibox, and not where the page wants me to go after the alert is closed. The history should show [, test.html]. I discovered this as my bank has a confirm() dialog when sessions time out that navigates to the bank home page on a cancel. Some times I'll try to navigate away from it and only realize I'm still on my bank's page after I've logged in again. This strikes me as a potential security issue, as it can prevent people from navigating away from a malicious site via omnibar or bookmarks (closing the tab appears to works fine though).
Chrome has the same behavior, this might even be the specified order of operations. (when I go back in history I get the page I navigated to even though it didn't display).
Blocks: eviltraps
Group: firefox-core-security
Component: Untriaged → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.