Closed Bug 253780 Opened 20 years ago Closed 20 years ago

sportsline opens a popup using a delayed write of script to an iframe


(SeaMonkey :: UI Design, defect)

Windows XP
Not set


(Not tracked)



(Reporter: danm.moz, Unassigned)





(1 file)

655 bytes, text/html
Details has discovered an exploit that consistently circumvents
Mozilla's popup blocker. It works by writing script to an iframe after the page
has finished loading. Something like so:

<iframe name="popup" src="about:blank"></iframe>
function createPopup() {
  var psrc = "<html><body><script>'about:blank')<" +
setTimeout(createPopup, 500);

Various alternatives also work (like loading the script externally, as the
original site does), but this is the simplest. This exploit works every time, so
I'm making it "confidential," though it's been noticed already.
Marking Security sensitive per Dnam's request.
Group: security
Dnam? chuckle.
Attached file testcase
Yeah, Dnam :-) (duh)
*** Bug 253769 has been marked as a duplicate of this bug. ***
Blocks: 253769
Clearing confidentiality flag, since evading the popup blocker is not a major
security issue, and methods for such evasion are publically known already anyway.
Group: security
I think this is a dup of bug 187255. The method used is exactly the same but
called from a timeout handler instead of onload.
Certainly they're related. There are some subtle differences in timing. With any
luck they won't affect the patch, but since timing is the problem, I'd like to
keep them both open. (Besides the fact that "sportsline" is a popular bugzilla
search right now.)

The subtle difference in timing has to do with 187255's popup being created in
an anonymous function defined in the <head>, and this bug's popup using a more
straightforward delay. 187255 in fact doesn't work unless the function is
anonymous. The difference has to do with when the body DOM is constructed and
it's probably all the same thing as far as we're concerned here, but I'm not
certain enough to declare this one a duplicate.
Depends on: 187255
No, bug 187255 doesn't have anything to do with anonymous functions, it works
with an onload attribute on the body tag as well. And the reason for a timeout
here is to make sure that the code executes after the document has been loaded -
the same thing is achieved more straightforward in bug 187255 by using the
onload handler.

The real reason why the popup blocker fails is that the code created by
document.write() is executed asynchronously, thus out of the event handler
context - here both bugs use exactly the same approach, so they are definitely
duplicate. I wrote about it in bug 252326 comment 14 and simple blocking of all
attemts to open a window without a current event in fact solves all the problems.

But sure, this bug can be kept open because of sportsline in its title.
> No, bug 187255 doesn't have anything to do with anonymous functions
The first testcase in the bug certainly does. And since the website named in the
bug seems to no longer be opening popups, I'll go with the testcase.

>the popup blocker fails [because] the code created by
>document.write() is executed asynchronously
As I said, it's probably the same thing as far as we're concerned. But the
tricky timing issue makes it worth leaving both open, just to be certain. I
repeat, the 187255 testcase does NOT work unless the function is anonymous --
try it. I've commented on your analysis in bug 252326.

Anyway, this is a lot of noise for what appears to be agreement that this bug
doesn't need to be closed.
Blocks: popups
No longer blocks: popups
*** Bug 256936 has been marked as a duplicate of this bug. ***
*** Bug 255320 has been marked as a duplicate of this bug. ***
This problem has been fixed by the patch in bug 252326.
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 259944 has been marked as a duplicate of this bug. ***
Product: Core → Mozilla Application Suite
Component: XP Apps: GUI Features → UI Design
You need to log in before you can comment on or make changes to this bug.