Closed Bug 345072 Opened 18 years ago Closed 18 years ago

pop-up window closes if using ssl ( opener.top.location.reload() should not be reachable from other domain)

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla1.8.1beta2

People

(Reporter: stephenpc, Assigned: martijn.martijn)

References

()

Details

(Keywords: fixed1.8.1, testcase)

Attachments

(2 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Click 'Spectra Webmail' on the left.
This link uses Javascript window.open() to work.  Code has been checked for validity and is o.k.  

This link is supposed to open a pop-up to https://www.spectratechnology.net
Instead the pop-up automatically closes.  

This does not happen with non-SSL pages.  


Reproducible: Always

Steps to Reproduce:
1.  Go to http://www.spectratechnology.com
2.  Click 'Spectra Webmail'.
3.  Pop-up opens and is then automatically closed.
The url doesn't load at all for me, but the popup window isn't closed for me.
Is the ssl site dead, currently?
(In reply to comment #1)
> The url doesn't load at all for me, but the popup window isn't closed for me.
> Is the ssl site dead, currently?
> 

server went down.  i am rebooting now and it should be back up within the next 10 minutes.
Ok, this happens because of this script:
            if(window.opener)
            {
                window.opener.top.location.reload();
                window.close();
            }
            
            window.top.location.target="_top";
            if(window.location.target != "_top")
              window.top.location.href = window.location.href;

window.opener.top.location.reload() is working in Mozilla for other domains, while it isn't working in IE6.
I'd rather see that scripts from the popup from a different domain weren't able at all to access the location object from the opener window, but I guess that's a compatibility thing with IE6, see bug 56053.

Testcase here:
http://wargers.org/mozilla/bug345072/345072_win_open_ssl.htm

so the solution would be to be also compatible with the IE6 case here and refuse location.reload() access from different domains.
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: Security → DOM
Ever confirmed: true
Keywords: testcase
Product: Firefox → Core
QA Contact: firefox → ian
Version: unspecified → Trunk
Summary: pop-up window closes if using ssl → pop-up window closes if using ssl ( opener.top.location.reload() should not be reachable from other domain)
Attached patch patch (obsolete) — Splinter Review
Something like this?
This is more or less copied code from bug 197305.
Attachment #232109 - Flags: review?(bzbarsky)
So wait.  You can't location.reload() cross-domain in IE?  If so, we should just remove http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpref/src/init/all.js&rev=3.653&mark=286#286 and be done with it.
Specifically, if I open a window like so:

 var win = window.open('http://some-other-domain');

in IE and wait for that to load, can I call win.location.reload()?
Attachment #232109 - Attachment is obsolete: true
Attachment #232109 - Flags: review?(bzbarsky)
Attached file testcase
(In reply to comment #6)
> Specifically, if I open a window like so:
> 
>  var win = window.open('http://some-other-domain');
> 
> in IE and wait for that to load, can I call win.location.reload()?

No, you can't, that gives a script error in IE6 (at least in my IE6).
Comment on attachment 232178 [details] [diff] [review]
patch as Boris indicated in comment 5

I'd like jst to look over this too...

And I think we should at least take this on the 1.8 branch.
Attachment #232178 - Flags: superreview+
Attachment #232178 - Flags: review?(jst)
Comment on attachment 232178 [details] [diff] [review]
patch as Boris indicated in comment 5

r=jst
Attachment #232178 - Flags: review?(jst) → review+
Assignee: general → martijn.martijn
Flags: blocking1.9?
Flags: blocking1.8.1?
Flags: blocking1.8.1? → blocking1.8.1+
Whiteboard: [checkin needed]
/cvsroot/mozilla/modules/libpref/src/init/all.js,v  <--  all.js
new revision: 3.657; previous revision: 3.656
done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Attachment #232178 - Flags: approval1.8.1?
Comment on attachment 232178 [details] [diff] [review]
patch as Boris indicated in comment 5

a=beltzner on behalf of drivers for the mozilla_1_8_branch
Attachment #232178 - Flags: approval1.8.1? → approval1.8.1+
Target Milestone: --- → mozilla1.8.1beta2
Whiteboard: [checkin needed (1.8 branch)]
Checking in all.js;
/cvsroot/mozilla/modules/libpref/src/init/all.js,v  <--  all.js
new revision: 3.585.2.50; previous revision: 3.585.2.49
done

Checked into the 1.8.1 branch.
Keywords: fixed1.8.1
Whiteboard: [checkin needed (1.8 branch)]
Flags: blocking1.9?
Flags: in-testsuite?
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: