Closed
Bug 265921
Opened 20 years ago
Closed 20 years ago
Scripts may close windows that were not opened by script.
Categories
(Core :: DOM: Events, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: mromarkhan, Unassigned)
References
Details
(Keywords: fixed-aviary1.0, fixed1.7.5, Whiteboard: [sg:fix])
Attachments
(4 files)
360 bytes,
text/html
|
Details | |
1.89 KB,
patch
|
Details | Diff | Splinter Review | |
5.42 KB,
patch
|
bryner
:
review+
brendan
:
superreview+
brendan
:
approval-aviary+
brendan
:
approval1.7.5+
|
Details | Diff | Splinter Review |
1.99 KB,
patch
|
bryner
:
review+
brendan
:
superreview+
brendan
:
approval-aviary+
brendan
:
approval1.7.5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0 Peace. Okay, I am not sure if I am an idiot or not, but here goes. I tried window.close() and got this error message Scripts may not close windows that were not opened by script. So I tried two additional hacks <a href="javascript: var e = document.createEvent('Events'); e.initEvent('DOMWindowClose',true,false); window.dispatchEvent(e); ">CloseWindow</a> - close this, requires two tabs to be open <a href="javascript: window.name='thisThing'; window.open('','thisThing',''); window.close(); ">CloseWindowReloaded</a> - close this, close the browser if one tab opened and was successful. So I am wondering is this is a bug or feature - like certain script may have certain privilege, or I got the wrong preference setting. I know I am missing something? Got wrong build? Reproducible: Always Steps to Reproduce: 1. For issue one need two tabs opened 2. For issue two need just one tab to close browser 3. Actual Results: For 1. Close tab when two tabs open For 2. Close browser when one tab open Expected Results: Should not close browser or tab since I get error message Scripts may not close windows that were not opened by script. when I tried window.close()
Comment 2•20 years ago
|
||
> e.initEvent('DOMWindowClose',true,false); Tabbrowser should be checking whether the event is trusted, I would say. See http://lxr.mozilla.org/seamonkey/source/toolkit/content/widgets/tabbrowser.xml#1409 and http://lxr.mozilla.org/seamonkey/source/xpfe/global/resources/content/bindings/tabbrowser.xml#1552 > window.name='thisThing'; > window.open('','thisThing',''); This one is fun... danm? Ideas?
Comment 3•20 years ago
|
||
You'd think this would fix the event thing. It doesn't seem to, over here.
Updated•20 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.0+
Updated•20 years ago
|
Severity: minor → major
Comment 4•20 years ago
|
||
This is bz's patch, in addition to an event state manager fix for a problem where it ended up marking all non-mouse/key events dispatched from chrome (or when UniversalBrowserWrite is enabled) as trusted events. This also fixes the event.isTrusted getter to properly return true/false (and not 2 or false, as it currently does).
Comment 5•20 years ago
|
||
Argh. How many other places might set *aBoolResult = (field & mask)? Maybe we can lxr for that. Trying .... /be
Updated•20 years ago
|
Attachment #163352 -
Flags: review+
Comment 6•20 years ago
|
||
Comment on attachment 163352 [details] [diff] [review] Complete fix. sr=brendan@mozilla.org and approving, good fixes. /be
Attachment #163352 -
Flags: superreview+
Attachment #163352 -
Flags: approval1.7.x+
Attachment #163352 -
Flags: approval-aviary+
Comment 7•20 years ago
|
||
This is kindof a followup fix to the earlier patch, but is not needed to block the security hole. Looks like fallout from some decomtamination work, not sure (bonsai isn't cooperating right now), but it should be fixed.
Updated•20 years ago
|
Keywords: fixed-aviary1.0
>Argh. How many other places might set *aBoolResult = (field & mask)? Maybe we >can lxr for that. Trying .... OK somebody smack me down. Why is comment 4 the right fix? It implies that somewhere downstream someone depends on the value of |true| being identical to 1. That seems like the true error to me. (Heh heh.)
Updated•20 years ago
|
Attachment #163363 -
Flags: review+
Updated•20 years ago
|
Keywords: fixed1.7.x
Comment 9•20 years ago
|
||
Comment on attachment 163363 [details] [diff] [review] Also stop window.dispatchEvent() from always throwing exceptions sr/a=me, go fast! /be
Attachment #163363 -
Flags: superreview+
Attachment #163363 -
Flags: approval1.7.x+
Attachment #163363 -
Flags: approval-aviary+
Comment 10•20 years ago
|
||
Re: comment 8, danm, consider yourself smacked ;-). Storing an arbitrary non-zero truth value in a PRBool is a bug waiting to bite. While XPConnect copes, any code that packs into a PRPackedBool may suffer from the folly of the person who failed to test == 0 or != 0, or use !!, or (blecherous) use (field & mask) ? PR_TRUE : PR_FALSE. Followups to bug 266048. /be
Comment 11•20 years ago
|
||
So.. what effect does this patch have on window.close() calls on windows that were forced into a tab? I seem to recall danm fixing that recently, but with this patch in that codepath will dispatch an event, but the event will be untrusted and the tab won't close, no? Should a separate bug be filed on the second issue mentioned in comment 0, by the way?
Updated•20 years ago
|
Whiteboard: [sg:fix]
Comment 12•20 years ago
|
||
(In reply to comment #11) > So.. what effect does this patch have on window.close() calls on windows that > were forced into a tab? I seem to recall danm fixing that recently, but with > this patch in that codepath will dispatch an event, but the event will be > untrusted and the tab won't close, no? > > Should a separate bug be filed on the second issue mentioned in comment 0, by > the way? Yeah, that was bad in this patch, fixed as part of 265790. Marking bug fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 13•20 years ago
|
||
So should a separate bug be filed on the second issue mentioned in comment 0? I don't think these patches fix it...
Comment 14•20 years ago
|
||
Ah, yes, please do file a separate bug on that...
Comment 15•20 years ago
|
||
Bug 266371 filed.
Comment 16•20 years ago
|
||
tracy and I had verifyied this back at the end of october with firefox branch bits on all the three main platforms.
Status: RESOLVED → VERIFIED
Comment 17•19 years ago
|
||
Hmm, this bug still have security sensitive bug even if it has been fixed for some time now..
Comment 18•19 years ago
|
||
Ok, because of bug 266371, it might be better to keep this bug security sensitive until 266371 is fixed.
Updated•19 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•