Closed Bug 266371 Opened 20 years ago Closed 18 years ago

[FIX]Possible to close user-opened windows by setting window.name

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: fixed1.8.1, Whiteboard: [sg:dos])

Attachments

(4 files, 4 obsolete files)

testcase
406 bytes, text/html
Details
Proposed trunk patch
15.59 KB, patch
benjamin
: review+
jst
: superreview+
jst
: approval-branch-1.8.1+
Details | Diff | Splinter Review
Part of original patch I forgot to attach...
1023 bytes, patch
Details | Diff | Splinter Review
1.8 branch patch
19.29 KB, patch
jst
: review+
Details | Diff | Splinter Review 
STEPS TO REPRODUCE: Click on the link in the URL field.

EXPECTED RESULTS:  Nothing happens.

ACTUAL RESULTS:  Window closes.

Marking confidential for now, since this could be easily abused by sites...

Credit for initially finding this goes to Omar Khan (see bug 265921).
Flags: blocking-aviary1.0?
->danm for a possible trunk fix.
Assignee: general → danm.moz
Flags: blocking-aviary1.0?
Whiteboard: [sg:fix]
*** Bug 279529 has been marked as a duplicate of this bug. ***
Assignee: danm.moz → nobody
Requesting blocking....

Perhaps the way to do this is to keep track of the originalOpener, not just the
opener.  And then allow window.close() calls to succeed only if:

1)  There is an original opener
2)  The calling code is allowed to access the original opener (we may have to use
    a URI, not a window object, for the original opener...)
Flags: blocking1.8b2?
Flags: blocking1.7.7?
Flags: blocking1.7.7?
Flags: blocking1.8b3?
Flags: blocking1.8b2?
Flags: blocking1.8b2-
Just for kicks, why is script allowed to set/change window.name?
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Flags: blocking1.8b3-
we have to deal with this in our commercial code. but there's clearly a reason.
Flags: blocking1.8b4+ → blocking1.8b4-
OK.  Being closed down is keeping this security bug from being fixed, so I'm
going to open it up and hope someone steps up... :(
Group: security
Keywords: helpwanted
Whiteboard: [sg:fix] → [sg:dos]
Not blocking 1.5, since it's merely a DoS.
Flags: blocking-aviary1.5-
Boris Zbarsky referred me to this bug as a possible cause for the problem I'm experiencing, whereby a script can close a window/tab it didn't actually open when the "Force links that open in new windows to open in the same tab/window" preference is enabled.  Here's a test case.

http://lachy.id.au/dev/2005/11/window-open-close-test

This is really annoying for me when scripts close tabs I don't want closed.  There should be a way stop scripts from closing any windows/tabs at all.
Blocks: 212298
Attached patch patch (obsolete) — Splinter Review 
Maybe something like this?
I haven't tested this much, but if fixes the testcase, and I tested with a regular window.close() testcase and that closed just fine.
Attached file testcase 
And the patch doesn't regress this testcase:
With https://bugzilla.mozilla.org/attachment.cgi?id=127485 (from bug 212298), you can't close the window anymore with the patch by clicking on the link, but when you open it in a new window (with this testcase), you can close the window by clicking on the link.
Attachment #208975 - Flags: review?(bzbarsky)
Comment on attachment 208975 [details] [diff] [review]
patch

>Index: dom/src/base/nsGlobalWindow.cpp
> void
> nsGlobalWindow::SetOpenerWindow(nsIDOMWindowInternal* aOpener)

I'm not sure I follow the changes to this function. I would think that the right thing to do would be to set mOriginalOpener the first time SetOpenerWindow is called (and set a boolean indicating that we've done that).  After that, we never set mOriginalOpener.

I definitely don't see why we're setting mOriginalOpener to the mOriginalOpener of aOpener.

>@@ -2278,16 +2284,21 @@ nsGlobalWindow::SetOpener(nsIDOMWindowIn

Similar issues here.  I'm not sure that mOpenerWasCleared is actually needed if we have the mOriginalOpener thing, for what it's worth.
Attachment #208975 - Flags: review?(bzbarsky)
Attached patch patch2 (obsolete) — Splinter Review 
So you mean something like this?
By the way, nsGlobalWindow::SetOpener doesn't seem to be used at all:
http://lxr.mozilla.org/seamonkey/search?string=SetOpener
Attachment #208975 - Attachment is obsolete: true
Attachment #209233 - Flags: review?(bzbarsky)
Comment on attachment 209233 [details] [diff] [review]
patch2

That doesn't look right either, since it allows a window to go from being "not an opened window" to "an opened window" if a window gets SetOpenerWindow called at some point "after" the window is first opened, no?

As for SetOpener, it's a scriptable method exposed to JS.  It's used in JS.
Comment on attachment 209233 [details] [diff] [review]
patch2

> since it allows a window to go from being "not
> an opened window" to "an opened window" if a window gets SetOpenerWindow called
> at some point "after" the window is first opened, no?
When would that happen? 
I can't think of a case when that happens.
Attachment #209233 - Flags: review?(bzbarsky)
The testcase in the URL bar does just that.  The only reason it works with your patch is that it has aOpener == this.  But consider something like:

javascript:window.name = "foo"; window.open('javascript:window.open("", "foo"); opener.close(); close()')

That should close the window it's run in, both with a trunk build (just tested) and with your patch (check?).

The point is, SetOpenerWindow() is called any time the window is the target of a window.open().  Unfortunately, it can be called on both windows that have openers and windows that do not, and the problem is telling a just-opened window that the window watcher is still setting up from a window that got opened by someone else.

Perhaps we can look at whether we have an extant document when SetOpenerWindow is called?  Or something?
(Grr, my internet connection suddenly died yesterday)
> That should close the window it's run in, both with a trunk build (just tested)
> and with your patch (check?).
Indeed, that would not be solved by this patch.

> Perhaps we can look at whether we have an extant document when SetOpenerWindow
> is called?  Or something?
No idea.
Also not sure yet, how your suggestion in comment 11 can work. 


I don't think it quite can, since SetOpenerWindow is not called on, say, new tabs that are opened.  :(
Depends on: 326006
Attached patch Sorta-1.8-friendly patch (obsolete) — Splinter Review 
This is just for posterity... There's no way this will apply to branch; we need to do something slightly different there diff-wise, since SetOpenerWindow wasn't even on nsPIDOMWindow.  ;)  So I'll just write separate trunk and branch patches, I guess.  And the branch patch will happen after bug 326006 lands on branch.
Attached patch Real 1.8-friendly patch (obsolete) — Splinter Review 

        Attachment #211617 -
        Attachment is obsolete: true

    
  
Depends on: 326784

    
    

    
  


  
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

        Attachment #211619 -
        Flags: superreview?(jst)

        Attachment #211619 -
        Flags: review?(benjamin)

        Attachment #211619 -
        Flags: approval-branch-1.8.1?(jst)

    
  
Flags: blocking1.8.1?
Keywords: helpwanted
Priority: -- → P1
Summary: Possible to close user-opened windows by setting window.name → [FIX]Possible to close user-opened windows by setting window.name
Target Milestone: --- → mozilla1.9alpha

    
  

        Attachment #211619 -
        Flags: review?(benjamin) → review+

    
    

    
  
Comment on attachment 211619 [details] [diff] [review]
Proposed trunk patch

sr=jst

        Attachment #211619 -
        Flags: superreview?(jst)

        Attachment #211619 -
        Flags: superreview+

        Attachment #211619 -
        Flags: approval-branch-1.8.1?(jst)

        Attachment #211619 -
        Flags: approval-branch-1.8.1+

    
    

    
  


  

        Attachment #209233 -
        Attachment is obsolete: true

        Attachment #211618 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1.8 branch patchSplinter Review
      

    


  
jst, mind giving this a once-over?  Merging kinda sucked.  :(

        Attachment #211945 -
        Flags: review?(jst)

    
    

    
  
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
This turned balsa orange:

###!!! ASSERTION: aOriginalOpener is true, but we already have a document loaded: '!aOriginalOpener || !mDocument', file /builds/tinderbox/Firefox-gcc3.4/Linux_2.4.7-10_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1473


    
    

    
  
I removed that assert, since it seems it will fire in various cases depending on what window creator and window provider do (eg if they preload about:blank).

    
    

    
  
Comment on attachment 211945 [details] [diff] [review]
1.8 branch patch

r=jst

        Attachment #211945 -
        Flags: review?(jst) → review+

    
    

    
  
Fixed on 1.8 branch.
Keywords: fixed1.8.1

    
    

    
  
I forgot to remove the assert on the branch.  See bug 341276, where I'll remove it.
Depends on: 341276

    
  
Flags: blocking1.8.1?

    
    

    
  
*** Bug 345162 has been marked as a duplicate of this bug. ***
Flags: blocking1.8.0.8-
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: