Page can open JavaScript console even when popups are disabled. (Remove the feature that "javascript:" opens the console.)

RESOLVED FIXED

Status

()

defect
RESOLVED FIXED
15 years ago
5 years ago

People

(Reporter: bugzilla, Assigned: ajschult784)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(5 attachments, 2 obsolete attachments)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; cs-CZ; rv:1.7) Gecko/20040501
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; cs-CZ; rv:1.7) Gecko/20040501

The <img src="javascript:"> in the HTML page opens JavaScript console during
onload. This is wrong behaviour, isn't? It should not be able from the HTML
page. And it is not affected by popup blocker. (Yes, if you turn off JavaScript,
it doesn't happened.)

And what more - if repeated, it can open more instances of the JS-console and so
block Mozilla and consume computer resources. This is strange, because only one
instance of JavaScript console can be opener in common usage.

Indefinitive loop of opening new and new and new and new JavaScript console can
practically completely block Win98 system (you have to press CTRL+ALT+DELETE and
kill the browser) or significantly slow Win2000.

If you have opened some JavaScript console before loading of the testcase, new
instances are not created, only the console get focus.

Same problem is, if you use <iframe scr="javascript:"></iframe> or <link
rel="stylesheet" href="javascript:" /> and maybe in some other URL too.

Observed in: Mozilla1.7b, Firefox 0.8 and Mozilla/5.0 (Windows; U; Windows NT
5.0; cs-CZ; rv:1.7) Gecko/20040501

Reproducible: Always
Steps to Reproduce:
(Reporter)

Updated

15 years ago
Summary: Page can open JavaScript console even when are popup disabled → Page can open JavaScript console even when are popup disabled
(Reporter)

Comment 1

15 years ago
Posted file Img testcase
Testcase
(Reporter)

Comment 2

15 years ago
Posted file Link testcase
Other testcase
(Reporter)

Comment 3

15 years ago
Posted file Iframe testcase
Other testcase

Comment 4

15 years ago
I see this with 
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a) Gecko/20040509
Firefox/0.8.0+ on Windows 2000

Image test case opens 1 instance of js console
Link test case opens 2
IFrame opens 10 (as many as specified)

This seems somewhat bad...(critical?)

Comment 5

15 years ago
Confirmed.

- Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a) Gecko/20040510
Firefox/0.8.0+
- Microsoft Windows 2000 Pro 5.00.2195 SP4

Comment 6

15 years ago
Yes, it's real enough. So what's the right solution, then? I believe the naked
"javascript:" URL is intended as a shortcut for opening the Console. Should we
somehow disallow it from anything but the URLbar? Should we allow a page to open
only one copy of the window? Should we treat it like a popup window?

Its obnoxiousness is limited. All a website can do with this hack is open the
JavaScript Console. Many times. And by the way it opens full-screen on my build.
That's kind of weird and extra annoying.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Naked javascript: could be made to open the JS console only if entered from the
location toolbar.  Netscape 4.x didn't worry about the potential for abuse here,
though.  This bug reports no real-world abuse, so I'm wondering why we shouldn't
WONTFIX it.

Danm, can you worry about the other glitches you noticed in separate bug(s)?

/be
(Reporter)

Comment 8

15 years ago
Posted file Hang - tescace
(In reply to comment #7)
> This bug reports no real-world abuse, so I'm wondering why we shouldn't
> WONTFIX it.

And what about freezing the browser? See attachment with indefinitive loop of
opening "javascript:". Can anyone stop it and not kill the browser process?

Satisfactory solution should be do not allow opening more instances of the
JS-console. So the page can't hang the browser.

Comment 9

15 years ago
(In reply to comment #7)
> Naked javascript: could be made to open the JS console only if entered from the
> location toolbar.  Netscape 4.x didn't worry about the potential for abuse here,
> though.  This bug reports no real-world abuse, so I'm wondering why we shouldn't
> WONTFIX it.

This also seems to bypasses the built in script warning / alert window
"A script on this page is causing mozilla to run slowly.  If it continues to run
your computer may become unresponsive.  Do you want to abort the script?
[ok/cancel]"
Which gives the user the option to cancel the script and seems designed to put a
check on this type of behavior.  The behavior in this case is inconsistent (no
warning is displayed).

My own opinion would be to get rid of the "javascript:" shortcut all together as
it seems somewhat inconsistent/unnecessary, but that's probably doing a bit too
much.  Restricting it to the location toolbar seems the next best thing (any
reason why a web page should need to launch the JS Console?)
I don't see why we need to support a web page opening the JS console.  There is
no web standard, _de facto_ or _de jure_, among browsers other than those in the
Mozilla family.

D.O.S. attacks are plentiful, but if we can knock this one down, great.

/be
(Reporter)

Comment 11

15 years ago
Seems tat this not affect only javascript: but also some other protocols. I have
created a separate bug #243503
*** Bug 263635 has been marked as a duplicate of this bug. ***
*** Bug 265170 has been marked as a duplicate of this bug. ***

Comment 14

15 years ago
The Iframe testcase does it to my browser aswell, quite annoying really - and no
visable option to disable it happening

Comment 15

15 years ago
This bug could trigger some bad press from people who test Firefox against the
mangle.cgi script. JS console opens automatically rather often and every few
minutes Firefox hangs because of the JS console..
Product: Browser → Seamonkey
-> all/all
OS: Windows 2000 → All
Hardware: PC → All

Comment 17

14 years ago
*** Bug 284453 has been marked as a duplicate of this bug. ***

Comment 18

14 years ago
Sorry for asking but should I file a new bug for Firefox? This bug appears to be
for Mozilla only.

Comment 19

14 years ago
Would be nice, if there would be a Firefox-specific-bug.

Can somebody change the Product or should a seperate bug be filed?

(Why seems this rather critical bug to be forgotten?)

Updated

13 years ago
Blocks: iexploder

Comment 20

13 years ago
*** Bug 351417 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 21

13 years ago
> Should we somehow disallow it from anything but the URLbar?

This seems the most reasonable thing to do.  This would mean that nsJSThunk::BringUpConsole would go away and the browser would be responsible for intercepting the URL before trying to "load" it.

> Should we allow a page to open only one copy of the window?

The code already attempts to do this, but apparently fails.
http://lxr.mozilla.org/seamonkey/source/dom/src/jsurl/nsJSProtocolHandler.cpp#294
Assignee: general → nobody
Component: General → General
Product: Mozilla Application Suite → Core
QA Contact: general → general
(Assignee)

Comment 22

13 years ago
embedding/components/jsconsole/ could probably get removed as well if that's desired.
http://lxr.mozilla.org/seamonkey/search?string=jsconsole-service

If the approach is OK, I'll get FF/SM folks to review the chrome changes.
Assignee: nobody → ajschult
Status: NEW → ASSIGNED
Attachment #237079 - Flags: review?(brendan)
Comment on attachment 237079 [details] [diff] [review]
separate console from protocol

It looks good to me (less C++, more JS).  I'd be grateful if bz approved the jsurl changes.  Seeking mconnor blessing as you proposed (unless there's a better FE reviewer?).

/be
Attachment #237079 - Flags: superreview?(bzbarsky)
Attachment #237079 - Flags: review?(mconnor)
Attachment #237079 - Flags: review?(brendan)
Attachment #237079 - Flags: review+
(In reply to comment #21)
>>Should we allow a page to open only one copy of the window?
>The code already attempts to do this, but apparently fails.
>http://lxr.mozilla.org/seamonkey/source/dom/src/jsurl/nsJSProtocolHandler.cpp#294
Unfortunately windows get asynchronously added to the window mediator.
Comment on attachment 237079 [details] [diff] [review]
separate console from protocol

> embedding/components/jsconsole/ could probably get removed

Yes, please.  It's pretty useless for embedding as it stands (only usable in XUL apps and doesn't really do uniqueness checking).  I think this only existed so embeddors could override with their own console for purposes of this code, but if we're now completely pushing this off to the embedding layer, that's not needed.

>Index: dom/src/jsurl/nsJSProtocolHandler.cpp
>     // If mURI is just "javascript:", we bring up the Error console
>     // and return NS_ERROR_DOM_RETVAL_UNDEFINED.

Fix this comment?

>     if (script.IsEmpty()) {

Do we really need this check?  That is, won't we just get undefined from the JS engine if we run an empty string through it?  If so, can we just remove this block completely?

>Index: xpfe/browser/resources/content/navigator.js

> function handleURLBarCommand(aUserAction, aTriggeringEvent)
> {
>+  if (gURLBar.value == "javascript:") {
>+    toJavaScriptConsole();

So this doesn't work if I, say, paste "javascript:" with the middle mouse button.  Is that what we want?  I'd almost say "yes", but then again I think this "javascript: opens JS console" thing is stupid.  ;)  But check with the UI folks.

sr=bzbarsky with the nits.

Also asking Neil for review on the XFPE bit.
Attachment #237079 - Flags: review?(neil)
Attachment #237079 - Flags: superreview?(bzbarsky) → superreview+
(Assignee)

Comment 26

13 years ago
(In reply to comment #25)
> (From update of attachment 237079 [details] [diff] [review] [edit])
> > embedding/components/jsconsole/ could probably get removed
> 
> Yes, please.  It's pretty useless for embedding as it stands (only usable in

OK, I'll attach a patch to do that shortly.

> >     if (script.IsEmpty()) {
> 
> Do we really need this check?  That is, won't we just get undefined from the 

No, apparently not.  I'll remove it.

> So this doesn't work if I, say, paste "javascript:" with the middle mouse
> button.  Is that what we want?  I'd almost say "yes", but then again I think
> this "javascript: opens JS console" thing is stupid.  ;)  But check with the 
> UI folks.

Right.  Middle-click-paste does not open the console, nor do things like the open web location dialog.
(Assignee)

Comment 27

13 years ago
Attachment #237623 - Flags: review?(benjamin)

Updated

13 years ago
Attachment #237623 - Flags: review?(benjamin) → review+
Personally I think we should just drop support for "javascript:" opening the "Error console".
Comment on attachment 237079 [details] [diff] [review]
separate console from protocol

r- on navigator.js as per comment #28.
Attachment #237079 - Flags: review?(neil) → review-
(Assignee)

Comment 30

12 years ago
Comment on attachment 237079 [details] [diff] [review]
separate console from protocol

looking for r= for the browser/ changes (or the go-ahead to drop support for "javascript:")
Attachment #237079 - Flags: review?(mconnor) → review?(gavin.sharp)
Comment on attachment 237079 [details] [diff] [review]
separate console from protocol

Please just drop the "javascript: opens the Error Console" feature from Firefox (don't make the /browser change).
Attachment #237079 - Flags: review?(gavin.sharp) → review+
Comment on attachment 237079 [details] [diff] [review]
separate console from protocol

Well, I guess that means this is r- and not r+, but you get the idea!
Attachment #237079 - Flags: review+ → review-
(Assignee)

Comment 33

12 years ago
The previous 2 patches are in.

I forgot about allmakefiles.sh.  I removed jsconsole from the long lines with 

:%s#embedding/components/jsconsole/src/Makefile ##
:%s#embedding/components/jsconsole/public/Makefile ##
Attachment #237079 - Attachment is obsolete: true
Attachment #237623 - Attachment is obsolete: true
Attachment #252135 - Flags: review?(benjamin)

Comment 34

12 years ago
Comment on attachment 252135 [details]
fix up allmakefiles.sh too

Don't bother, MOZ_BUILD_PROJECTS is dead.
Attachment #252135 - Flags: review?(benjamin) → review-

Updated

12 years ago
Duplicate of this bug: 379355
(Assignee)

Comment 36

12 years ago
Hmm... this is fixed.  allmakefiles.sh got cleaned up elsewhere
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Comment 37

12 years ago
Is it a patch that needs to be uploaded or does he need to update his program?  My client still gets this problem.  If I take out href="javascript:;"---that's removing the java script all together????????
Also, should the hang testcase still hang the browser? Because it sure does for me on the trunk :-)

Updated

12 years ago
Summary: Page can open JavaScript console even when are popup disabled → Page can open JavaScript console even when popups are disabled. (Remove the feature that "javascript:" opens the console.)

Updated

12 years ago
Duplicate of this bug: 390090

Comment 40

11 years ago
How can I see Javascript errors in Firefox 3.0.2 if javascript: popup console feature has been dropped?
Is there nay other way to see the errors.

It was very useful to debug javascript errors.

Comment 41

11 years ago
Anji, you can still open the Error Console from Firefox's Tools menu.

Comment 42

11 years ago
Thanks.
Got it.
You need to log in before you can comment on or make changes to this bug.