Open Bug 1488995 Opened 3 years ago Updated 2 years ago
user navigation doesn't abort JS location navigation when JS alert() is open
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180621121604 Steps to reproduce: Trigger a JS alert() or confirm() modal dialog box from an http/https origin, that sets window.location after it is closed. When the dialog box is open, try navigating to a different site (eg. mozilla.org) via the omnibox or a bookmark. (Attached minimal case must be served over http, such as `python3 -m http.server 3333`, as file:// doesn't seem to display the same behavior) Actual results: I am redirected to the window.location=".." url, and not the site I entered in the omnibox. The history shows [test.html, mozilla.org, test.html]. Expected results: I should go to the site I entered in the omnibox, and not where the page wants me to go after the alert is closed. The history should show [mozilla.org, test.html]. I discovered this as my bank has a confirm() dialog when sessions time out that navigates to the bank home page on a cancel. Some times I'll try to navigate away from it and only realize I'm still on my bank's page after I've logged in again. This strikes me as a potential security issue, as it can prevent people from navigating away from a malicious site via omnibar or bookmarks (closing the tab appears to works fine though).
Chrome has the same behavior, this might even be the specified order of operations. (when I go back in history I get the page I navigated to even though it didn't display).
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.