251793 - Java applets bypass "Block Pop-Up Windows"

Status: RESOLVED WONTFIX

(Firefox :: General, defect)

Description

[Leo Tokarski]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

It is possible to bypass Firefox's protection against pop-up windows via a Java
applet, as the demonstrating URL indicates.

Reproducible: Always
Steps to Reproduce:
1. Make sure Java is enabled.
2. Go to the site.

Actual Results:  
Hundreds of pop-ups, followed by Firefox crashing.

Expected Results:  
No pop-ups.  Since, you know, I have them turned off.

Comment 1

[sairuh (rarely reading bugmail)]

confirming, this occurs for me when using 2004-07-27 (firefox, aviary1.0 branch)
bits on linux fedora core 1 and mac 10.3.4. would this be feasible to fix (ie,
block unwanted popups issued via Java)?

Comment 2

[Dan M]

Probably the exact same thing as bug 176079. I'll mark this bug dependent for now.

Comment 3

[Wladimir Palant]

No, these bugs are not dependent. Here we have normal Java windows, not Mozilla
windows. I think, this problem has to be be solved (if at all) by means of
Java's SecurityManager - in the plugin itself.

Comment 4

[s.marshall]

This is a valid bug. I just wanted to mention that stopping Java opening popup
windows altogether would seriously impact sites (mainly intranets) that use
real-work Java applets. These often have quite complex UI including popup
dialogs. So I hope nobody would be tempted to implement that hack. :)

If a change is implemented, suggest making it stop Java opening popups in a
similar manner to the HTML technique i.e. Java applets can open popups as much
as they like once somebody has clicked on or focused the applet. This would
prevent malicious applets opening popups onload. I suspect this would be
difficult to implement without co-ordination with the Java 1.5 developers, but I
don't know...

Comment 5

[OstGote!]

IMO it is more a duplicate as an dependency. Bug 150340 is for plugins in general.

Comment 6

[Marc Bejarano]

fyi: the demo from "URL" field (http://66.195.18.30/5000000fucks.html) is now 404 :(

Comment 7

[Dieter Weber]

Attachment: A java applet displays itself inside a foreign tab.

When opening a map from map24.de inside a tab, a java applet is loaded. This
applet is also displayed within other tabs when one scrolls them, and the tab
receives at least mouse events. Because this applet doesn't have window
borders, one cannot distinguish it easily form the other tab's contents. I fear
that this can be used for "bad things".

Version:

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; de-DE; rv:1.7.5) Gecko/20041122
Firefox/1.0

Comment 8

[Wladimir Palant]

(In reply to comment #7)
What you describe is a bug of course but it has nothing to do with the issue
discussed here. Please use the search to find a bug dealing with your problem,
I'm pretty sure there is one already.

Comment 9

[Jesse Ruderman]

Was this fixed with bug 176079 /
http://weblogs.mozillazine.org/jst/archives/2005/06/killing_more_po.html?

Comment 10

[Wladimir Palant]

No, these is a very different issue. As already noted in comment 3, the demo was
demonstrating an Java applet opening Java windows, not browser windows. This can
only be solved by adjusting the security policy of the applet. The demo is gone,
I'm attaching another applet demonstrating the same thing.

Comment 11

[Wladimir Palant]

Attachment: JAR file for the demo

Comment 12

[Wladimir Palant]

Attachment: Demo

Enter some number into the input field and click "Open" - the applet will open
the required number of windows.

Comment 13

[Wladimir Palant]

Attachment: Applet source