Open Bug 209134 Opened 21 years ago Updated 2 years ago

named unload handler popup windows are not blocked

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

People

(Reporter: danm.moz, Unassigned)

References

Details

Attachments

(1 obsolete file) 

An offshoot of bug 208862, this is an obscure scenario where a popup window can
sneak itself past the popup blocking code. Popup windows targeted to a named
window are not blocked if that named window exists, since the result is after
all not a new window. But it should be blocked if that named window is being
destroyed at the time.

Practically speaking, I believe this can only be exploited by an unpleasant page
that opens a new named window which itself contains an unload handler that opens
a popup window into a window with the same name. That first new named window can
be a non-popup opened in response to some user action, or it can be a popup if
the user has not yet disabled popups.

This is an explicit attack and unlikely to happen by accident. The site
mentioned in bug 208862 does exactly this, except the popup windows are opened
into a window named "_blank". That attack has been fixed. Left unfixed is the
less likely case where the popup window has some legitimate, non-reserved name.

The result is a window that opens a new copy of itself every time the user
attempts to close it, regardless of whether the popup blocker is active. It's
impossible to close down Mozilla without killing the process.
Also "non-named" window.open() in onUnload are not blocked. Strange enough they
ARE blocked if you load a new page over the one which wants to popup with a
Bookmark-Toolbar button.

Put one of the following in a <html><head></head><body ...></body></html> page,

<body onUnload="window.open('http://www.somesite.com/','_blank');">
<body onUnload="window.open('http://www.somesite.com/','whatever');">

put the page online, open a tab (or two), load the page, click "close tab"
button (top right) or select "Close Tab" from tab-menu.
No, that's bug 259117, fixed three weeks ago. When thinking of adding a new bug,
it helps if you expand your search to include bugs that have already been fixed.
Attached file inapplicable testcase (obsolete) — 

    
    

    
  
(In reply to comment #2)
> No, that's bug 259117, fixed three weeks ago.

Not really, the following are sites which demostrates this kind of popup:
http://www.popup-killer-review.com/simplepop2.htm
http://gals.graphis.ne.jp/index2.html (warning: a porn site)

    
    

    
  
Edited: sorry, it is really bug 259117.
My mistake. Please ignore my previous comments.
Depends on: 259117

    
  

        Attachment #161743 -
        Attachment description: A minimal testcase → inapplicable testcase

        Attachment #161743 -
        Attachment is obsolete: true

    
  
Assignee: danm.moz → nobody

    
    

    
  
Filter on "Nobody_NScomTLD_20080620"
QA Contact: desale → general

    
    

    
  
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML

    
  
Severity: minor → S4

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: