Closed Bug 1895083 Opened 1 year ago Closed 1 year ago

window.close() does not work in non-cross-origin-isolated popups opened by a cross-origin-isolated page

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 125
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1681457

People

(Reporter: oleksandr.chekhovskyi, Unassigned)

References

Details

Steps to reproduce:

  1. Have a page served with cross-origin isolation headers:
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin

  2. Open a popup with window.open([url]). URL is from the same domain but it's a different page that does not have cross-origin isolation enabled.

  3. As an example, that page is a login page that contains a form, which upon successful submission prompts user to close the page (with a Close button).

  4. When user clicks Close button, script on the login page invokes window.close().

Actual results:

Page does not close.
Warning is logged:
"Scripts may not close windows that were not opened by script."

Expected results:

Closing should be allowed in such scenario. This should not be a cross-origin isolation security problem. Other browsers (Chrome, Safari) allow the popup page to be self-closed in such case.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Severity: -- → S2

The checks in https://searchfox.org/mozilla-central/rev/e69f323af80c357d287fb6314745e75c62eab92a/dom/base/nsGlobalWindowOuter.cpp#6004-6005 don't really correspond to https://html.spec.whatwg.org/multipage/nav-history-apis.html#script-closable I think. It should check either that the active BC "is an auxiliary browsing context that was created by a script" or "is a top-level traversable whose session history entries's size is 1".

Hi Sean, can you please help with this? Thank you.

Flags: needinfo?(sefeng)

(I found a similar bug, but not sure if they are duplicates)

See Also: → 1681457

Moving to S3: the cross-origin isolation headers are opted-in and we are not aware of the breakages in the wild.

Dear reporter, if you know the websites impacted by this issue, please let us know.

(In reply to Edgar Chen [:edgar] from comment #4)

(I found a similar bug, but not sure if they are duplicates)

Nika's patches in bug 1681457 touched the lines Peter pointed out in comment 2. Maybe Sean can help us verify. :)

Severity: S2 → S3
Flags: needinfo?(oleksandr.chekhovskyi)

I confirmed Nika's patch in bug 1681457 fixed this.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1681457
Flags: needinfo?(sefeng)
Resolution: --- → DUPLICATE
Flags: needinfo?(oleksandr.chekhovskyi)
You need to log in before you can comment on or make changes to this bug.