Closed Bug 1576623 Opened 5 years ago Closed 5 years ago

"Report Deceptive Site" can be blocked via onbeforeunload

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1263100

People

(Reporter: pbz, Unassigned)

Details

Attachments

(1 file)

PoC-PreventSafeBrowsingReport.html
1.03 KB, text/html
Details

A website can call window.location.reload() in an beforeunload event handler to block users from reporting it to SafeBrowsing via the Firefox UI (Help -> Report Deceptive Site).
Instead of navigating to the SafeBrowsing report page, the browser will perform a reload of the current page.

I've attached a PoC.
Found on this scam website: hxxp://prize6127.tutonhamon71.live/6426073502/?u=gg4p605&o=5ffwrnh&f=1

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: