Onunload can prevent user from navigating away from page (hijack browser tab, break back button)

RESOLVED DUPLICATE of bug 371360

Status

()

Core
DOM: Events
RESOLVED DUPLICATE of bug 371360
14 years ago
5 years ago

People

(Reporter: Ian Finnesey, Unassigned)

Tracking

Trunk
Points:
---
Bug Flags:
blocking-aviary1.0 -
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

Now first of all, I do NOT normally read this ****.  Some retard suggested it to
me.  

That said, I saw some stuff scarier than furry porno comic strips.  

http://www.buzzweb.com/dustbunnies/

Near the bottom of the text block on top there is a link.  Follow it:

http://www.buzzweb.com/dustbunnies/I%27m%20always%20working%20on%20improving%20my%20art%20and%20my%20bunnies%20will%20be%20back%20one%20day%20better%20then%20they%20were%20before,%20better,%20faster,%20stronger,%20six%20million%20dollar%20bunnies!%20But%20for%20now%20I%27m%20undertaking%20other%20characters%20other%20stories%20such%20as%20comics%20about%20a%20skunkette%20school%20an%20all%20girl%20school%20with%20very%20horny%20and%20immodest%20skunkettes.%20The%20other%20project%20is%20about%20two%20space%20vixens%20that%20use%20their%20sex%20appeal%20to%20save%20worlds%20and%20the%20occasional%20universe.%20And%20finally,%20a%20comic%20about%20sexy%20feline%20warriors%20who%20are%20defending%20themselves%20in%20their%20ravaged%20world%20destroyed%20by%20giant%20nasty%20monsters.%20All%20this,%20hopefully%20for%20me,%20will%20be%20found%20in%20comic%20books%20and%20not%20on%20the%20net.%20

and it will send you here:
http://66.250.173.108/search.php?query=sex&x=62&y=39
You can click on any of those links and you'll get a random porno page. What's
interesting is if you try and go back. You will get a random porno page any time
you try to go back past that first page of porn links. This happens if you go
directly to the 66.250.173.108 link as well.  

A random porno page will load every time you:
click the back button
right click the back button and select a previous page
try to go to a page in the history
try to load a bookmarked page
enter something in the URL field

Basically every time you try to leave the porno sites.

It does this with both Firefox 0.9.1 and 0.9.2, Mozilla 1.7, and with IE 6. 
(Except with IE, it also attempts to change the home page, opens popup windows,
and tries to install stuff)

This is really damned annoying.  

I'm curious as to what they're doing, and what can be done to disable it without
losing functionality.  

Reproducible: Always
Steps to Reproduce:
1.Go to this page:  
2.try going anywhere else, by any means (back button, bookmarks, url field)
3.watch as you get a random porno site instead

Actual Results:  
It will load a random porno page each time you try to enter a URL in the URL
field, go to a bookmarked page, or use the back button.  (Although clicking on
the back button really fast a few dozen times can get you out, if you then click
it again, you'll just get another random porno page.)  



Expected Results:  
Allowed me to escape to some other page.

I'm using XP Home, I've tried this with Mozilla 1.7, Firefox 0.9.1 and 0.9.2,
and IE 6.  It happens with all of them.

Updated

14 years ago
Assignee: firefox → general
Component: General → Browser-General
Product: Firefox → Browser
QA Contact: firefox.general → general
Version: unspecified → 1.7 Branch
Pretty standard setup:

  function foo() {
    location = some_porn_site;
  }

  <body onunload="foo()">

I thought we had something in place to preven this, no?
Not that I can remember...

Updated

13 years ago
Summary: Web page can completely hijack browser. Firefox versions .9.1 and .9.2 (at least) → Web page can completely hijack browser using onunload

Comment 3

13 years ago
This was on FD:
http://lists.netsys.com/pipermail/full-disclosure/2004-July/024242.html
Hmm, anyone know what the legitimate uses of code like this is?
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 5

13 years ago
>Hmm, anyone know what the legitimate uses of code like this is?

There is none. The only possible legitimite use for onunload that I can think of
is window cleanup (i.e. closing windows opened by the page). This could probably
also be used for other things where the main window is interacting with windows
other windows. Things like changing the location, or alerting you that you are
leaving (some sites do this, although it is very very rare)are just annoying.

Maybe if you are submitting credit card information, or waiting for a reply
other functions used in an onunload event could be used to prevent
complications, however you cannot cancel the unload, so I don't think there
would be anything you can do to prevent that if the user leaves.

With recent and past security issues, maybe the capabilities of onunload should
be restricted. This could include blocking writes to and changing the location
for the window that is unloaded. Possibly even a pref that can completely
disable the onunload handler could be included in Mozilla.

Comment 6

13 years ago
Created attachment 154580 [details]
Simplified testcase.

Here's a non-pornographic testcase.

Comment 7

13 years ago
maggottmail-mozbugs@yahoo.com: it is possible to for a site to cancel navigating
away from a page, but not with onunload.  You have to use the onbeforeunload
event to do that, and the user gets a prompt asking if they really want to leave
the page.
(Reporter)

Comment 8

13 years ago
(In reply to comment #7)
  You have to use the onbeforeunload
> event to do that, and the user gets a prompt asking if they really want to leave
> the page.


Did you try it?  It gives no message.  

Comment 9

13 years ago
>You have to use the onbeforeunload event to do that, and the user gets a prompt 
> asking if they really want to leave the page.

OK, I wasn't aware of that one.

> Did you try it?  It gives no message.

You have to return a value with the handler (it appears any primitive data type
or even null will work). For example:

<body onbeforeunload="return false;">

Updated

13 years ago
Flags: blocking-aviary1.0?

Comment 10

13 years ago
There are now sites that use the "onunload" event to open pop-up windows when
you close the window.
Example: Open at least two tabs in firefox. In one tab type the url:
http://www.desktopgirls.com/index4.html. Now close the tab with this site. You
get two pop-up windows.
If you have only one tab open and close the browser you will see no pop-ups.

Comment 11

13 years ago
Antonis: that's bug 259117, not this bug.

Comment 12

13 years ago
think we would need a patch and a lot of trunk testing to do more here for 1.0.
 renominate if that happens.
Flags: blocking-aviary1.0? → blocking-aviary1.0-
*** Bug 261104 has been marked as a duplicate of this bug. ***

Comment 14

13 years ago
There is yet one interesting thing. The code included below opens a new window
if there are other tabs open, and the tab containing the script is closed.
(Firefox PR 0.10.1)

<html>
<head>
<title>Test</title>
<SCRIPT language=JavaScript>
<!--
function u()
{
window.open("http://some.url.here/","")
}
// -->
</SCRIPT>
</head>
<body OnBeforeUnload="u()" OnUnload="u()">
</body>
(In reply to comment #14)
> There is yet one interesting thing. The code included below opens a new window
> if there are other tabs open, and the tab containing the script is closed.
> (Firefox PR 0.10.1)

That was fixed in bug 260385.

Comment 16

13 years ago
*** Bug 264735 has been marked as a duplicate of this bug. ***

Updated

13 years ago
Summary: Web page can completely hijack browser using onunload → Onunload can prevent user from navigating away from page (hijack browser tab)
Product: Browser → Seamonkey

Updated

12 years ago
Component: General → DOM: Events
Product: Mozilla Application Suite → Core

Updated

12 years ago
Summary: Onunload can prevent user from navigating away from page (hijack browser tab) → Onunload can prevent user from navigating away from page (hijack browser tab, break back button)

Updated

12 years ago
Blocks: 340021
Depends on: 371360

Updated

11 years ago
Assignee: general → nobody
OS: Windows XP → All
QA Contact: general → events
Hardware: PC → All
Version: 1.7 Branch → Trunk
Flags: in-testsuite?

Comment 17

10 years ago
You can still use it to open alerts.

http://www.internetisseriousbusiness.com/ (code saved if the page goes away).
Basically it is this:
<body onbeforeunload="for(x in neva.split('\n')){ alert(neva.split('\n')[x]); } return false;">

I think it should be possible to forcefully close tabs.
If you right-click on an unfocused tab you get the "Close tab" item. It closes the still focused tab (which is misleading for me). Either close the clicked tab forcefully or offer such an option.

Comment 18

10 years ago
Volkmar, please file that as a separate bug.  It's likely to require a separate fix.

Comment 19

10 years ago
FYI; Filed enhancement bug: 391834
Thanks.

Comment 20

8 years ago
Is it not quite clear to me what are the STR on this one, but no matter how many times I click on "Disable onunload event" on the attachment in comment #6 the back button doesn't break using 
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a5pre) Gecko/20100505 Minefield/3.7a5pre ID:20100505040145
I would say this WFM based on that.
Can anyone please clarify?

Comment 21

8 years ago
I think that this bug has been long since fixed (see the link to CVE-2007-1095 listed at the top) and I'm surprised that this hasn't been closed.  I'm going to remove myself from the CC list anyway...
This was fixed by disallowing navigation during unload in bug 371360.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 371360

Updated

5 years ago
No longer blocks: 340021
No longer depends on: 371360
You need to log in before you can comment on or make changes to this bug.