Firefox (desktop) popup blocker fails to auto-block a link to be opened
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: planetman1125, Unassigned)
References
Details
Attachments
(3 files)
IMG_0019.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Steps to reproduce:
go to https://atestingblogging.blogspot.com/2023/05/html-font-family-sans-serif-focuselem.html and click the page
Actual results:
it shows a prompt with our win.origin
Expected results:
it should show null like on WebKit on ios
chrome seems to prevent the popup blocker from failing by blocking the alert from opening a Blogspot website alongside the alert from displaying from another origin/website on the regular blogspot site
|
||
Comment 5•1 year ago
|
||
I'm confused about what the bug and/or security vulnerability is supposed to be here.
The bug summary talks about the popup blocker, but comment 0 about the fact that the origin shown for the about:blank or javascript: page that has been window.open'd being non-null. Those are different things.
Off-hand, when I run the testcase, I have to click the page for any popup to show up. Normally, clicks are allowed to open popups, so I don't think this is surprising or a security issue, but perhaps I misunderstand what's going on?
The bug summary talks about the popup blocker, but comment 0 about the fact that the origin shown for the about:blank or
javascript:page that has beenwindow.open'd being non-null. Those are different things.
At first I thought the origin was a security concern but then I did more research into it and realized it more or less expected to show the URL as our win.origin and my security concern now is that I'm able to bypass the popup blocker other chrome is not affected by this due to the popup blocker blocking the popup from opening a website in a new while showing a popup center of the page
Off-hand, when I run the testcase, I have to click the page for any popup to show up. Normally, clicks are allowed to open popups, so I don't think this is surprising or a security issue, but perhaps I misunderstand what's going on?
you may have not reproduced it correctly maybe that's why the behavior is different on your end try these steps
-
go to https://atestingblogging.blogspot.com/2023/05/html-font-family-sans-serif-focuselem.html
-
then click Report abuse
-
you will see chrome and webkit browsers including safari block this but firefox doesn't
|
||
Comment 8•1 year ago
|
||
It looks like there are two different things here. If you click anywhere on the page there's a window.open() popup, and Chrome, Safari, and Firefox behave the same.
window.open('javascript:alert("See dialog title for origin spoof. This dialog is from doc.domain: "+document.domain+", win.origin: "+window.origin)', '_blank', newWinParams);
If you click on a link then Chrome and Safari don't open the link. The onclick handler itself is not preventing the event from going through (which is why Firefox acts on it). I'm not sure if Chrome/Safari are considering the link a second popup and blocking it on that ground, or if they just always eat the event after a popup (probably the former). We don't seem to consider target=__blank to be a "second popup" when we limit popups to just one per user activation.
for more references on chrome behavior see https://bugs.chromium.org/p/chromium/issues/detail?id=1443729&q=label%3Aexternal_security_report
|
|
||
Updated•1 year ago
|
|
|
||
Comment 11•1 year ago
|
||
Thanks for the chromium bug link. Their bug is complaining that they --don't-- open the Report link. That reporter wants to get the Firefox behavior!
Description
•