Closed Bug 253780 Opened 21 years ago Closed 20 years ago

sportsline opens a popup using a delayed write of script to an iframe

Categories

(SeaMonkey :: UI Design, defect)

Product:
SeaMonkey
Component:
UI Design
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: danm.moz, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

testcase
655 bytes, text/html
Details
www.sportsline.com has discovered an exploit that consistently circumvents Mozilla's popup blocker. It works by writing script to an iframe after the page has finished loading. Something like so: <iframe name="popup" src="about:blank"></iframe> <script> function createPopup() { var psrc = "<html><body><script>window.open('about:blank')<" + "/script></body></html>"; window.frames.popup.document.write(psrc); window.frames.popup.document.close(); } setTimeout(createPopup, 500); </script> Various alternatives also work (like loading the script externally, as the original site does), but this is the simplest. This exploit works every time, so I'm making it "confidential," though it's been noticed already.
Marking Security sensitive per Dnam's request.
Group: security
Dnam? chuckle.
Attached file testcase
Yeah, Dnam :-) (duh)
*** Bug 253769 has been marked as a duplicate of this bug. ***
Blocks: 253769
Blocks: pop-up-arms-race
Clearing confidentiality flag, since evading the popup blocker is not a major security issue, and methods for such evasion are publically known already anyway.
Group: security
I think this is a dup of bug 187255. The method used is exactly the same but called from a timeout handler instead of onload.
Certainly they're related. There are some subtle differences in timing. With any luck they won't affect the patch, but since timing is the problem, I'd like to keep them both open. (Besides the fact that "sportsline" is a popular bugzilla search right now.) The subtle difference in timing has to do with 187255's popup being created in an anonymous function defined in the <head>, and this bug's popup using a more straightforward delay. 187255 in fact doesn't work unless the function is anonymous. The difference has to do with when the body DOM is constructed and it's probably all the same thing as far as we're concerned here, but I'm not certain enough to declare this one a duplicate.
Depends on: 187255
No, bug 187255 doesn't have anything to do with anonymous functions, it works with an onload attribute on the body tag as well. And the reason for a timeout here is to make sure that the code executes after the document has been loaded - the same thing is achieved more straightforward in bug 187255 by using the onload handler. The real reason why the popup blocker fails is that the code created by document.write() is executed asynchronously, thus out of the event handler context - here both bugs use exactly the same approach, so they are definitely duplicate. I wrote about it in bug 252326 comment 14 and simple blocking of all attemts to open a window without a current event in fact solves all the problems. But sure, this bug can be kept open because of sportsline in its title.
> No, bug 187255 doesn't have anything to do with anonymous functions The first testcase in the bug certainly does. And since the website named in the bug seems to no longer be opening popups, I'll go with the testcase. >the popup blocker fails [because] the code created by >document.write() is executed asynchronously As I said, it's probably the same thing as far as we're concerned. But the tricky timing issue makes it worth leaving both open, just to be certain. I repeat, the 187255 testcase does NOT work unless the function is anonymous -- try it. I've commented on your analysis in bug 252326. Anyway, this is a lot of noise for what appears to be agreement that this bug doesn't need to be closed.
Blocks: popups
No longer blocks: popups
*** Bug 256936 has been marked as a duplicate of this bug. ***
*** Bug 255320 has been marked as a duplicate of this bug. ***
This problem has been fixed by the patch in bug 252326.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 259944 has been marked as a duplicate of this bug. ***
Product: Core → Mozilla Application Suite
Component: XP Apps: GUI Features → UI Design
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: