Closed Bug 287068 Opened 20 years ago Closed 20 years ago

OWA ( Outlook web access 2000 ) - Javascript problem logging out

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 183697

People

(Reporter: d.webb, Assigned: bugzilla)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

When using Firefox to access mail via OWA 2000 there is a Javascript error when
logging out.
The logout button takes you to a webpage with the text :-

"
To complete the log off process and prevent other users from opening your
mailbox, you must close all browser windows and exit the browser application.
"

and a close button.

Clicking the close button should close the window.
However in Firefox it does nothing.

The Javascript Console displays the following :-

"
Scripts may not close windows that were not opened by script.
"


Reproducible: Always

Steps to Reproduce:
1.Using Firefox log into OWA 2000
2. Click on the Log Off Icon
3. Click on the Close button.


Actual Results:  
Scripts may not close windows that were not opened by script.
appeared in JavaScript Console 
Nothing else happened.

Expected Results:  
Browser window should have closed.
FF deliberately won't let scripts close windows they didn't open.  There is a
setting in about:config which I think alters this behaviour
(dom.allow_scripts_to_close_windows).  

I think this is invalid, sorry.  If you disagree please reopen.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Presumably this action of not allowing a script to close a window that it
hadn't opened is intended as a security measure.
However in this case the action defeats the browser security that Microsoft
have put in place with OWA 2000.
It risks one user being able to access another user's mail by using the 
back button on the browser.
Firefox opened these windows it should be able to close them.

If there is a setting in about:config
(dom.allow_scripts_to_close_windows)

to control this. Then allowing scripts to close windows should be the default.

I regard this as a serious security hole in Firefox.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Reproducible with Mozilla/5.1 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2)
Gecko/20050405 and Mozilla/5.1 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2)
Gecko/20050405 Firefox/1.0+ on OWA (Microsoft 2003 Server Ent. & Exchange 2003 Ent.)

But i think is a  OWA Problem, since OWA don`t work with Session ID`s or so on,
to avoid this problem. 
This is no security hole in FF, it`s a security hole in OWA.
OWA also seems to think that the whole session (including cookies) are end if
you close the window. 
That is true for IE but not for Mozilla and Firefox. In Mozilla the session only
ends if you close the last remaining window.

Enabling "dom.allow_scripts_to_close_windows" without a dialog would open a
security bug in FF (sites can close the whole window with other tabs in it)




*** This bug has been marked as a duplicate of 183697 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.