Closed Bug 249360 Opened 20 years ago Closed 20 years ago

No way to stop malicious javascript

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 61098

People

(Reporter: relf, Unassigned)

Details

Attachments

(1 file)

Testcase
302 bytes, text/html
Details 
Linux build 2004062507

To reproduce:
1. Open the provided testcase
2. There is no way to stop malicious javascript
The only way to stop it, is to kill mozilla-bin application

Expected results:
There should be a way to interrupt javascript execution without killing Mozilla.
Attached file Testcase 

    
  
Summary: No protection from malicious javascript → No way to stop malicious javascript

    
  
Assignee: general → general
Component: JavaScript Engine → DOM: Level 0
QA Contact: pschwartau → ian
Whiteboard: DUPEME

    
    

    
  
steps:
1. open a second window
2. load your link in the first window
3. select the second window
4. tools>web development>javascript debugger
5. select the windows view
6. select the first window
7. select the evil page
8. double click
9. set a breakpoint on the first while(true) line
10. click ok in the stupid dialog
11. in venkman evaluate: alert=funciton die(){throw 'stop that'}
12. click the green continue button.

-done-

what these steps mean: the summary is wrong.

    
    

    
  
Hi,
Netscape Communicator 4.79 Internet Explorer 5.01 anmd 5.5 Other Mozilla
versions and Opera 7.51 paid version do the same.
I think that it is a thing of all browsers.

    
    

    
  
If you wait long enough, a dialog asking whether to stop the script or let it
continue should come up.

/be

    
    

    
  
> steps:
> 1. open a second window
> 2. load your link in the first window

Nice ;)

But what if only one window was opened, and the script run there?
It will block openning a second window.


    
    

    
  
Brendan, is there a way to force termination of the script not "waiting long
enough" ?
I'd prefer to have, say, a checkbox like 
[ ] Terminate this javascript
right on the annoying dialog.

    
    

    
  
relf-

You probably want bug bug 61098.

This is a different DOS attack than the script blocker is designed for.  There
is no runaway script, it is patiently waiting for the user's input.  Past dupes
of this (such as bug 66097) went to bug 61098.  bug 59314 and bug 60150 may be
other approaches to tackle the problem.

    
    

    
  

*** This bug has been marked as a duplicate of 61098 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Whiteboard: DUPEME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: