Closed Bug 251944 Opened 20 years ago Closed 11 years ago

Onunload can prevent user from navigating away from page (hijack browser tab, break back button)

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 371360

People

(Reporter: andy_christ, Unassigned)

References

Details

Attachments

(1 file)

Simplified testcase.
379 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

Now first of all, I do NOT normally read this ****.  Some retard suggested it to
me.  

That said, I saw some stuff scarier than furry porno comic strips.  

http://www.buzzweb.com/dustbunnies/

Near the bottom of the text block on top there is a link.  Follow it:

http://www.buzzweb.com/dustbunnies/I%27m%20always%20working%20on%20improving%20my%20art%20and%20my%20bunnies%20will%20be%20back%20one%20day%20better%20then%20they%20were%20before,%20better,%20faster,%20stronger,%20six%20million%20dollar%20bunnies!%20But%20for%20now%20I%27m%20undertaking%20other%20characters%20other%20stories%20such%20as%20comics%20about%20a%20skunkette%20school%20an%20all%20girl%20school%20with%20very%20horny%20and%20immodest%20skunkettes.%20The%20other%20project%20is%20about%20two%20space%20vixens%20that%20use%20their%20sex%20appeal%20to%20save%20worlds%20and%20the%20occasional%20universe.%20And%20finally,%20a%20comic%20about%20sexy%20feline%20warriors%20who%20are%20defending%20themselves%20in%20their%20ravaged%20world%20destroyed%20by%20giant%20nasty%20monsters.%20All%20this,%20hopefully%20for%20me,%20will%20be%20found%20in%20comic%20books%20and%20not%20on%20the%20net.%20

and it will send you here:
http://66.250.173.108/search.php?query=sex&x=62&y=39
You can click on any of those links and you'll get a random porno page. What's
interesting is if you try and go back. You will get a random porno page any time
you try to go back past that first page of porn links. This happens if you go
directly to the 66.250.173.108 link as well.  

A random porno page will load every time you:
click the back button
right click the back button and select a previous page
try to go to a page in the history
try to load a bookmarked page
enter something in the URL field

Basically every time you try to leave the porno sites.

It does this with both Firefox 0.9.1 and 0.9.2, Mozilla 1.7, and with IE 6. 
(Except with IE, it also attempts to change the home page, opens popup windows,
and tries to install stuff)

This is really damned annoying.  

I'm curious as to what they're doing, and what can be done to disable it without
losing functionality.  

Reproducible: Always
Steps to Reproduce:
1.Go to this page:  
2.try going anywhere else, by any means (back button, bookmarks, url field)
3.watch as you get a random porno site instead

Actual Results:  
It will load a random porno page each time you try to enter a URL in the URL
field, go to a bookmarked page, or use the back button.  (Although clicking on
the back button really fast a few dozen times can get you out, if you then click
it again, you'll just get another random porno page.)  



Expected Results:  
Allowed me to escape to some other page.

I'm using XP Home, I've tried this with Mozilla 1.7, Firefox 0.9.1 and 0.9.2,
and IE 6.  It happens with all of them.
Assignee: firefox → general
Component: General → Browser-General
Product: Firefox → Browser
QA Contact: firefox.general → general
Version: unspecified → 1.7 Branch
Pretty standard setup:

  function foo() {
    location = some_porn_site;
  }

  <body onunload="foo()">

I thought we had something in place to preven this, no?
Not that I can remember...
Summary: Web page can completely hijack browser. Firefox versions .9.1 and .9.2 (at least) → Web page can completely hijack browser using onunload
Hmm, anyone know what the legitimate uses of code like this is?
Status: UNCONFIRMED → NEW
Ever confirmed: true
>Hmm, anyone know what the legitimate uses of code like this is?

There is none. The only possible legitimite use for onunload that I can think of
is window cleanup (i.e. closing windows opened by the page). This could probably
also be used for other things where the main window is interacting with windows
other windows. Things like changing the location, or alerting you that you are
leaving (some sites do this, although it is very very rare)are just annoying.

Maybe if you are submitting credit card information, or waiting for a reply
other functions used in an onunload event could be used to prevent
complications, however you cannot cancel the unload, so I don't think there
would be anything you can do to prevent that if the user leaves.

With recent and past security issues, maybe the capabilities of onunload should
be restricted. This could include blocking writes to and changing the location
for the window that is unloaded. Possibly even a pref that can completely
disable the onunload handler could be included in Mozilla.
Attached file Simplified testcase. 
Here's a non-pornographic testcase.
maggottmail-mozbugs@yahoo.com: it is possible to for a site to cancel navigating
away from a page, but not with onunload.  You have to use the onbeforeunload
event to do that, and the user gets a prompt asking if they really want to leave
the page.
(In reply to comment #7)
  You have to use the onbeforeunload
> event to do that, and the user gets a prompt asking if they really want to leave
> the page.


Did you try it?  It gives no message.  

>You have to use the onbeforeunload event to do that, and the user gets a prompt 
> asking if they really want to leave the page.

OK, I wasn't aware of that one.

> Did you try it?  It gives no message.

You have to return a value with the handler (it appears any primitive data type
or even null will work). For example:

<body onbeforeunload="return false;">
Flags: blocking-aviary1.0?
There are now sites that use the "onunload" event to open pop-up windows when
you close the window.
Example: Open at least two tabs in firefox. In one tab type the url:
http://www.desktopgirls.com/index4.html. Now close the tab with this site. You
get two pop-up windows.
If you have only one tab open and close the browser you will see no pop-ups.
Antonis: that's bug 259117, not this bug.
think we would need a patch and a lot of trunk testing to do more here for 1.0.
 renominate if that happens.
Flags: blocking-aviary1.0? → blocking-aviary1.0-
*** Bug 261104 has been marked as a duplicate of this bug. ***
There is yet one interesting thing. The code included below opens a new window
if there are other tabs open, and the tab containing the script is closed.
(Firefox PR 0.10.1)

<html>
<head>
<title>Test</title>
<SCRIPT language=JavaScript>
<!--
function u()
{
window.open("http://some.url.here/","")
}
// -->
</SCRIPT>
</head>
<body OnBeforeUnload="u()" OnUnload="u()">
</body>
(In reply to comment #14)
> There is yet one interesting thing. The code included below opens a new window
> if there are other tabs open, and the tab containing the script is closed.
> (Firefox PR 0.10.1)

That was fixed in bug 260385.
*** Bug 264735 has been marked as a duplicate of this bug. ***
Summary: Web page can completely hijack browser using onunload → Onunload can prevent user from navigating away from page (hijack browser tab)
Product: Browser → Seamonkey
Component: General → DOM: Events
Product: Mozilla Application Suite → Core
Summary: Onunload can prevent user from navigating away from page (hijack browser tab) → Onunload can prevent user from navigating away from page (hijack browser tab, break back button)
Blocks: backtraps
Depends on: CVE-2007-1095
Assignee: general → nobody
OS: Windows XP → All
QA Contact: general → events
Hardware: PC → All
Version: 1.7 Branch → Trunk
Flags: in-testsuite?
You can still use it to open alerts.

http://www.internetisseriousbusiness.com/ (code saved if the page goes away).
Basically it is this:
<body onbeforeunload="for(x in neva.split('\n')){ alert(neva.split('\n')[x]); } return false;">

I think it should be possible to forcefully close tabs.
If you right-click on an unfocused tab you get the "Close tab" item. It closes the still focused tab (which is misleading for me). Either close the clicked tab forcefully or offer such an option.
Volkmar, please file that as a separate bug.  It's likely to require a separate fix.
FYI; Filed enhancement bug: 391834
Thanks.
Is it not quite clear to me what are the STR on this one, but no matter how many times I click on "Disable onunload event" on the attachment in comment #6 the back button doesn't break using 
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a5pre) Gecko/20100505 Minefield/3.7a5pre ID:20100505040145
I would say this WFM based on that.
Can anyone please clarify?
I think that this bug has been long since fixed (see the link to CVE-2007-1095 listed at the top) and I'm surprised that this hasn't been closed.  I'm going to remove myself from the CC list anyway...
This was fixed by disallowing navigation during unload in bug 371360.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
No longer blocks: backtraps
No longer depends on: CVE-2007-1095
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: