Closed Bug 1685056 Opened 4 years ago Closed 4 years ago

Popup Blocker bar disappears immediately after window.open is called by a script in an iframe, and that iframe gets removed.

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- unaffected
firefox85 + fixed
firefox86 --- fixed

People

(Reporter: jdescottes, Assigned: emilio)

References

(Depends on 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(4 files)

test-case, sorta
423 bytes, text/html
Details
beautified code from the page.
2.09 KB, text/plain
Details
block-tabnapping.js
16.48 KB, application/x-javascript
Details
Bug 1685056 - For an initial, same-origin iframe, consume activation on the parent page for multiple-popup blocking. r=edgar,smaug
48 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
Details | Review

From discourse report at https://discourse.mozilla.org/t/targeted-links-issue/73003/12

STRs:

The event on this link is captured by a script which instead calls window.open. This logically triggers the popup blocker, however the "bar" normally displayed on top of the page disappears immediately, which means the user has no way to allow this popup?

The script responsible for handling the event is at https://doubleaction.com/wp-content/cache/autoptimize/js/autoptimize_c380e1896cbe551ce5d72164a41dc9e2.js

The unminified handler is

  function t(e) {
    var t,
    o,
    i,
    d;
    return e = e || window.event,
    t = e.currentTarget || e.srcElement,
    i = t.getAttribute('href'),
    i && (d = e.ctrlKey || e.shiftKey || e.metaKey, o = t.getAttribute('target'), d || o && !r(o)) ? (n.open(i), e.preventDefault ? e.preventDefault() : e.returnValue = !1, !1) : void 0
  }

n.open(i) is

  u = window.open;
  n.open = function (e, n, t) {
    var o;
    return r(n) ? u.apply(window, arguments) : d ? (o = u.apply(window, arguments), o.opener = null, o) : i(e, n, t)
  },

I think this should be allowed with transient activation. Edgar, could you double check? Thanks!

Severity: -- → S3
Depends on: 1656444
Flags: needinfo?(echen)

This looks like a recent-ish regression, the page works in 83.

Has Regression Range: --- → yes

[Tracking Requested - why for this release]: Broken popup blocker UX.

tracking-firefox85: --- → ?
Attached file test-case, sorta

sorta, since this doesn't work in Chrome either...

It seems they're using this library, which basically injects a display: none iframe and calls window.open() on that iframe, then removes it.

The reason this works on other browsers on that particular page is... UA-sniffing, of course :(

Ok, given that, and that the minimized test-case doesn't work on other browsers, I think we need to fix the popup bar to not disappear. I contacted the site so it can hopefully be fixed too. Firefox was never vulnerable to the vulnerabilities blankshield.js protects against, afaict. That library can pretty much be removed at this point.

It seems the sniffing code comes from a pretty popular wordpress plugin https://pluginarchive.com/wordpress/better-wp-security

The code for the plugin is no longer open source, but I downloaded the latest release and could find it under better-wp-security/core/modules/wordpress-tweaks/js/block-tabnapping.js

This plugin is no longer open source and is developed by https://ithemes.com

Attached file block-tabnapping.js

Original file from the WP plugin with UA sniffing logic.

FML :-(

So, the other annoying thing, is that fixing the popup blocker UI is not so straight-forward as I hoped.

Turns out we keep the blocked popups on the child process, keyed per window, and only query them when needed. So if the window is gone, it's not like we could retrieve the blocked popup...

Mike, I don't know how important lazily-retrieving the popups is, mind commenting? If we could send them as we blocked them, we could probably just make this a bunch of C++ and just fire PopupBlocked events in the top-level <browser> or something.

Flags: needinfo?(mconley)
Summary: Popup Blocker bar disappears immediately after window.open is called by a script → Popup Blocker bar disappears immediately after window.open is called by a script in an iframe, and that iframe

So, I guess, alternatives:

  • Hack around this particular case, checking user activation on the parent window if in-process for popup-blocking. This could be the easiest I guess... Slightly unfortunate.
  • Backing out the offending patch (maybe only from beta for now?) while we sort this out, either fixing the blocker UI, or something else.
  • Some sort of compat intervention.
Summary: Popup Blocker bar disappears immediately after window.open is called by a script in an iframe, and that iframe → Popup Blocker bar disappears immediately after window.open is called by a script in an iframe, and that iframe gets removed.

(In reply to Emilio Cobos Álvarez (:emilio) from comment #10)

Mike, I don't know how important lazily-retrieving the popups is, mind commenting? If we could send them as we blocked them, we could probably just make this a bunch of C++ and just fire PopupBlocked events in the top-level <browser> or something.

I think the consideration here is that we don't want content processes to be able to spam the parent process with PopupBlocked events - see https://searchfox.org/mozilla-central/rev/31ddf859c57e812878a5f817e4097efb06de4d97/toolkit/actors/PopupBlockingChild.jsm#120-123, for example.

If we can ensure that these are throttled, then yes, I can't off the top of my head think of a reason why we couldn't send this stuff to the parent to hold onto.

Flags: needinfo?(mconley)
Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
Flags: needinfo?(echen)
See Also: → 1686097

I filed bug 1686097 for the confusing UI here, and the issue with iframes and such.

Set release status flags based on info from the regressing bug 1679456

status-firefox84: --- → unaffected
status-firefox85: --- → affected
status-firefox86: --- → affected
status-firefox-esr78: --- → unaffected
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ac406d1aa9a7 For an initial, same-origin iframe, consume activation on the parent page for multiple-popup blocking. r=edgar

https://hg.mozilla.org/mozilla-central/rev/ac406d1aa9a7

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox86: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch

Is this suitable for uplift into the last 85 beta?

Flags: needinfo?(emilio)

Comment on attachment 9196428 [details]
Bug 1685056 - For an initial, same-origin iframe, consume activation on the parent page for multiple-popup blocking. r=edgar,smaug

Beta/Release Uplift Approval Request

  • User impact if declined: Comment 0
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Make the popup blocker a bit less restrictive.
  • String changes made/needed: none
Flags: needinfo?(emilio)
Attachment #9196428 - Flags: approval-mozilla-beta?

Comment on attachment 9196428 [details]
Bug 1685056 - For an initial, same-origin iframe, consume activation on the parent page for multiple-popup blocking. r=edgar,smaug

approved for 85.0b9

Attachment #9196428 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: