Closed
Bug 266371
Opened 20 years ago
Closed 18 years ago
[FIX]Possible to close user-opened windows by setting window.name
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
()
Details
(Keywords: fixed1.8.1, Whiteboard: [sg:dos])
Attachments
(4 files, 4 obsolete files)
406 bytes,
text/html
|
Details | |
15.59 KB,
patch
|
benjamin
:
review+
jst
:
superreview+
jst
:
approval-branch-1.8.1+
|
Details | Diff | Splinter Review |
1023 bytes,
patch
|
Details | Diff | Splinter Review | |
19.29 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
STEPS TO REPRODUCE: Click on the link in the URL field. EXPECTED RESULTS: Nothing happens. ACTUAL RESULTS: Window closes. Marking confidential for now, since this could be easily abused by sites... Credit for initially finding this goes to Omar Khan (see bug 265921).
Updated•20 years ago
|
Flags: blocking-aviary1.0?
Updated•20 years ago
|
Flags: blocking-aviary1.0?
Updated•20 years ago
|
Whiteboard: [sg:fix]
Comment 2•20 years ago
|
||
*** Bug 279529 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 3•19 years ago
|
||
Requesting blocking.... Perhaps the way to do this is to keep track of the originalOpener, not just the opener. And then allow window.close() calls to succeed only if: 1) There is an original opener 2) The calling code is allowed to access the original opener (we may have to use a URI, not a window object, for the original opener...)
Flags: blocking1.8b2?
Updated•19 years ago
|
Flags: blocking1.7.7?
Updated•19 years ago
|
Flags: blocking1.7.7?
Updated•19 years ago
|
Flags: blocking1.8b3?
Flags: blocking1.8b2?
Flags: blocking1.8b2-
Comment 4•19 years ago
|
||
Just for kicks, why is script allowed to set/change window.name?
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Flags: blocking1.8b3-
we have to deal with this in our commercial code. but there's clearly a reason.
Updated•19 years ago
|
Flags: blocking1.8b4+ → blocking1.8b4-
Assignee | ||
Comment 6•19 years ago
|
||
OK. Being closed down is keeping this security bug from being fixed, so I'm going to open it up and hope someone steps up... :(
Group: security
Keywords: helpwanted
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:dos]
Not blocking 1.5, since it's merely a DoS.
Flags: blocking-aviary1.5-
Comment 8•19 years ago
|
||
Boris Zbarsky referred me to this bug as a possible cause for the problem I'm experiencing, whereby a script can close a window/tab it didn't actually open when the "Force links that open in new windows to open in the same tab/window" preference is enabled. Here's a test case. http://lachy.id.au/dev/2005/11/window-open-close-test This is really annoying for me when scripts close tabs I don't want closed. There should be a way stop scripts from closing any windows/tabs at all.
Comment 9•19 years ago
|
||
Maybe something like this? I haven't tested this much, but if fixes the testcase, and I tested with a regular window.close() testcase and that closed just fine.
Comment 10•19 years ago
|
||
And the patch doesn't regress this testcase: With https://bugzilla.mozilla.org/attachment.cgi?id=127485 (from bug 212298), you can't close the window anymore with the patch by clicking on the link, but when you open it in a new window (with this testcase), you can close the window by clicking on the link.
Updated•19 years ago
|
Attachment #208975 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 11•19 years ago
|
||
Comment on attachment 208975 [details] [diff] [review] patch >Index: dom/src/base/nsGlobalWindow.cpp > void > nsGlobalWindow::SetOpenerWindow(nsIDOMWindowInternal* aOpener) I'm not sure I follow the changes to this function. I would think that the right thing to do would be to set mOriginalOpener the first time SetOpenerWindow is called (and set a boolean indicating that we've done that). After that, we never set mOriginalOpener. I definitely don't see why we're setting mOriginalOpener to the mOriginalOpener of aOpener. >@@ -2278,16 +2284,21 @@ nsGlobalWindow::SetOpener(nsIDOMWindowIn Similar issues here. I'm not sure that mOpenerWasCleared is actually needed if we have the mOriginalOpener thing, for what it's worth.
Updated•19 years ago
|
Attachment #208975 -
Flags: review?(bzbarsky)
Comment 12•19 years ago
|
||
So you mean something like this? By the way, nsGlobalWindow::SetOpener doesn't seem to be used at all: http://lxr.mozilla.org/seamonkey/search?string=SetOpener
Attachment #208975 -
Attachment is obsolete: true
Attachment #209233 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 13•19 years ago
|
||
Comment on attachment 209233 [details] [diff] [review] patch2 That doesn't look right either, since it allows a window to go from being "not an opened window" to "an opened window" if a window gets SetOpenerWindow called at some point "after" the window is first opened, no? As for SetOpener, it's a scriptable method exposed to JS. It's used in JS.
Comment 14•19 years ago
|
||
Comment on attachment 209233 [details] [diff] [review] patch2 > since it allows a window to go from being "not > an opened window" to "an opened window" if a window gets SetOpenerWindow called > at some point "after" the window is first opened, no? When would that happen? I can't think of a case when that happens.
Attachment #209233 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 15•19 years ago
|
||
The testcase in the URL bar does just that. The only reason it works with your patch is that it has aOpener == this. But consider something like: javascript:window.name = "foo"; window.open('javascript:window.open("", "foo"); opener.close(); close()') That should close the window it's run in, both with a trunk build (just tested) and with your patch (check?). The point is, SetOpenerWindow() is called any time the window is the target of a window.open(). Unfortunately, it can be called on both windows that have openers and windows that do not, and the problem is telling a just-opened window that the window watcher is still setting up from a window that got opened by someone else. Perhaps we can look at whether we have an extant document when SetOpenerWindow is called? Or something?
Comment 16•19 years ago
|
||
(Grr, my internet connection suddenly died yesterday) > That should close the window it's run in, both with a trunk build (just tested) > and with your patch (check?). Indeed, that would not be solved by this patch. > Perhaps we can look at whether we have an extant document when SetOpenerWindow > is called? Or something? No idea. Also not sure yet, how your suggestion in comment 11 can work.
Assignee | ||
Comment 17•19 years ago
|
||
I don't think it quite can, since SetOpenerWindow is not called on, say, new tabs that are opened. :(
Assignee | ||
Comment 18•18 years ago
|
||
This is just for posterity... There's no way this will apply to branch; we need to do something slightly different there diff-wise, since SetOpenerWindow wasn't even on nsPIDOMWindow. ;) So I'll just write separate trunk and branch patches, I guess. And the branch patch will happen after bug 326006 lands on branch.
Assignee | ||
Comment 19•18 years ago
|
||
Attachment #211617 -
Attachment is obsolete: true
Assignee | ||
Comment 20•18 years ago
|
||
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #211619 -
Flags: superreview?(jst)
Attachment #211619 -
Flags: review?(benjamin)
Attachment #211619 -
Flags: approval-branch-1.8.1?(jst)
Assignee | ||
Updated•18 years ago
|
Flags: blocking1.8.1?
Keywords: helpwanted
Priority: -- → P1
Summary: Possible to close user-opened windows by setting window.name → [FIX]Possible to close user-opened windows by setting window.name
Target Milestone: --- → mozilla1.9alpha
Updated•18 years ago
|
Attachment #211619 -
Flags: review?(benjamin) → review+
Comment 21•18 years ago
|
||
Comment on attachment 211619 [details] [diff] [review] Proposed trunk patch sr=jst
Attachment #211619 -
Flags: superreview?(jst)
Attachment #211619 -
Flags: superreview+
Attachment #211619 -
Flags: approval-branch-1.8.1?(jst)
Attachment #211619 -
Flags: approval-branch-1.8.1+
Assignee | ||
Comment 22•18 years ago
|
||
Attachment #209233 -
Attachment is obsolete: true
Attachment #211618 -
Attachment is obsolete: true
Assignee | ||
Comment 23•18 years ago
|
||
jst, mind giving this a once-over? Merging kinda sucked. :(
Attachment #211945 -
Flags: review?(jst)
Assignee | ||
Comment 24•18 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 25•18 years ago
|
||
This turned balsa orange: ###!!! ASSERTION: aOriginalOpener is true, but we already have a document loaded: '!aOriginalOpener || !mDocument', file /builds/tinderbox/Firefox-gcc3.4/Linux_2.4.7-10_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1473
Assignee | ||
Comment 26•18 years ago
|
||
I removed that assert, since it seems it will fire in various cases depending on what window creator and window provider do (eg if they preload about:blank).
Comment 27•18 years ago
|
||
Comment on attachment 211945 [details] [diff] [review] 1.8 branch patch r=jst
Attachment #211945 -
Flags: review?(jst) → review+
Assignee | ||
Comment 29•18 years ago
|
||
I forgot to remove the assert on the branch. See bug 341276, where I'll remove it.
Depends on: 341276
Assignee | ||
Updated•18 years ago
|
Flags: blocking1.8.1?
Comment 30•18 years ago
|
||
*** Bug 345162 has been marked as a duplicate of this bug. ***
Updated•18 years ago
|
Flags: blocking1.8.0.8-
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•