Closed
Bug 263777
Opened 20 years ago
Closed 20 years ago
Click handler bypasses pop-up blocker
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: mnyromyr, Unassigned)
References
()
Details
(Whiteboard: [sg:nse])
Attachments
(1 file)
|
243 bytes,
text/html
|
Details |
Specifying an onclick handler per onclick attribute or per addEventListener on document load allows to bypass the pop-up blocker. (First "exploits" of this are already out in the wild, the given URL opens an advertizing pop-up when one of the book links is clicked, if cookies are blocked entirely. It hides this in a very obfuscated code mass.) Since totally banning onclick handlers isn't quite probable, I suspect more websites to start with a special front page saying "Click here to enter" and having a popup opening for every link... :( Although there are already "exploits" of this out there, I'm marking this bug as confidential. The word will get around fast enough without being visible here, I fear. :(
|
Reporter | |
Comment 1•20 years ago
|
||
|
||
Updated•20 years ago
|
Whiteboard: [sg:nse]
|
||
Comment 2•20 years ago
|
||
This is as designed, and it's not really a bug that's fixable either. Short of AI smarts to figure out what link clicks you want to enable popups from, there's not much we can do about this. Marking WONTFIX, and opening up, as this is not a security bug.
Group: security
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 3•20 years ago
|
||
*** Bug 263870 has been marked as a duplicate of this bug. ***
*** Bug 282722 has been marked as a duplicate of this bug. ***
*** Bug 265186 has been marked as a duplicate of this bug. ***
*** Bug 283402 has been marked as a duplicate of this bug. ***
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•