Closed Bug 1814019 Opened 2 years ago Closed 2 years ago

Can get the current website's address to the new about:blank window

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 109
Platform:
Desktop
macOS
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: duckhiem, Unassigned, NeedInfo)

Details

Attachments

(1 file)

test case from comment 0
648 bytes, text/html
Details

On Firefox 109.0 (64-bit) on macOS Ventura 13.1:

Create an online .html file with:

	<button id="openPopup">Open a popup</button>
	<br><br>
	<button id="lockPointer">Lock the pointer</button>
	<script>
		let openedWindow = null;
		const openPopup = document.getElementById("openPopup");
		openPopup.addEventListener("click", () => {
			oWindow = window.open("about:blank", "", "menubar=no,width=100,height=100,left=200,top=200");
		});
		const lockPointer = document.getElementById("lockPointer");
		lockPointer.addEventListener("click", () => {
			oWindow.focus();
			oWindow.resizeTo(10000,10000);
			setTimeout(() => {
				document.body.requestPointerLock();
				oWindow.document.write("Hello!");
			}, 200)
		});
	</script>

For example:

https://thisblogtests.blogspot.com/2023/01/open-popup-lock-pointer-document.html.

Load this online .html file on Firefox, click Open a popup once, an about:blank window is opened, click Lock the pointer twice, you will see the address of the current website, for example: https://thisblogtests.blogspot.com/2023/01/open-popup-lock-pointer-document.html, is gotten to the new window opened (which is an about:blank new window).

I can confirm the behavior as described, but I'm not sure how it is a security issue. I may be missing something.

Group: firefox-core-security → dom-core-security
Status: UNCONFIRMED → NEW
Component: Security → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core

Why do you think this is a security bug? I think I've gotten lost in your description. "about:blank" is an artificial name, but those documents are "owned" by the document that created them. Internally that is the URL of the content.

I would expect Chrome to behave the same more or less.

Flags: needinfo?(duckhiem)

This is working the way it is supposed to. Nika said that window.location is updated in both Chrome and Firefox, but Chrome doesn't update the URL bar for whatever reason. Doesn't seem like a sec bug.

Group: dom-core-security
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: