If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

pop-up window closes if using ssl ( opener.top.location.reload() should not be reachable from other domain)

RESOLVED FIXED in mozilla1.8.1beta2

Status

()

Core
DOM
--
major
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: Stephen Clayton, Assigned: Martijn Wargers (dead))

Tracking

({fixed1.8.1, testcase})

Trunk
mozilla1.8.1beta2
x86
Windows XP
fixed1.8.1, testcase
Points:
---
Bug Flags:
blocking1.8.1 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Click 'Spectra Webmail' on the left.
This link uses Javascript window.open() to work.  Code has been checked for validity and is o.k.  

This link is supposed to open a pop-up to https://www.spectratechnology.net
Instead the pop-up automatically closes.  

This does not happen with non-SSL pages.  


Reproducible: Always

Steps to Reproduce:
1.  Go to http://www.spectratechnology.com
2.  Click 'Spectra Webmail'.
3.  Pop-up opens and is then automatically closed.
(Assignee)

Comment 1

11 years ago
The url doesn't load at all for me, but the popup window isn't closed for me.
Is the ssl site dead, currently?
(Reporter)

Comment 2

11 years ago
(In reply to comment #1)
> The url doesn't load at all for me, but the popup window isn't closed for me.
> Is the ssl site dead, currently?
> 

server went down.  i am rebooting now and it should be back up within the next 10 minutes.
(Assignee)

Comment 3

11 years ago
Ok, this happens because of this script:
            if(window.opener)
            {
                window.opener.top.location.reload();
                window.close();
            }
            
            window.top.location.target="_top";
            if(window.location.target != "_top")
              window.top.location.href = window.location.href;

window.opener.top.location.reload() is working in Mozilla for other domains, while it isn't working in IE6.
I'd rather see that scripts from the popup from a different domain weren't able at all to access the location object from the opener window, but I guess that's a compatibility thing with IE6, see bug 56053.

Testcase here:
http://wargers.org/mozilla/bug345072/345072_win_open_ssl.htm

so the solution would be to be also compatible with the IE6 case here and refuse location.reload() access from different domains.
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: Security → DOM
Ever confirmed: true
Keywords: testcase
Product: Firefox → Core
QA Contact: firefox → ian
Version: unspecified → Trunk
(Assignee)

Updated

11 years ago
Summary: pop-up window closes if using ssl → pop-up window closes if using ssl ( opener.top.location.reload() should not be reachable from other domain)
(Assignee)

Comment 4

11 years ago
Created attachment 232109 [details] [diff] [review]
patch

Something like this?
This is more or less copied code from bug 197305.
Attachment #232109 - Flags: review?(bzbarsky)
So wait.  You can't location.reload() cross-domain in IE?  If so, we should just remove http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpref/src/init/all.js&rev=3.653&mark=286#286 and be done with it.
Specifically, if I open a window like so:

 var win = window.open('http://some-other-domain');

in IE and wait for that to load, can I call win.location.reload()?
(Assignee)

Updated

11 years ago
Attachment #232109 - Attachment is obsolete: true
Attachment #232109 - Flags: review?(bzbarsky)
(Assignee)

Comment 7

11 years ago
Created attachment 232170 [details]
testcase

(In reply to comment #6)
> Specifically, if I open a window like so:
> 
>  var win = window.open('http://some-other-domain');
> 
> in IE and wait for that to load, can I call win.location.reload()?

No, you can't, that gives a script error in IE6 (at least in my IE6).
(Assignee)

Comment 8

11 years ago
Created attachment 232178 [details] [diff] [review]
patch as Boris indicated in comment 5
Comment on attachment 232178 [details] [diff] [review]
patch as Boris indicated in comment 5

I'd like jst to look over this too...

And I think we should at least take this on the 1.8 branch.
Attachment #232178 - Flags: superreview+
Attachment #232178 - Flags: review?(jst)
Comment on attachment 232178 [details] [diff] [review]
patch as Boris indicated in comment 5

r=jst
Attachment #232178 - Flags: review?(jst) → review+
Assignee: general → martijn.martijn
Flags: blocking1.9?
Flags: blocking1.8.1?

Updated

11 years ago
Flags: blocking1.8.1? → blocking1.8.1+
Whiteboard: [checkin needed]

Comment 11

11 years ago
/cvsroot/mozilla/modules/libpref/src/init/all.js,v  <--  all.js
new revision: 3.657; previous revision: 3.656
done
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
(Assignee)

Updated

11 years ago
Attachment #232178 - Flags: approval1.8.1?
Comment on attachment 232178 [details] [diff] [review]
patch as Boris indicated in comment 5

a=beltzner on behalf of drivers for the mozilla_1_8_branch
Attachment #232178 - Flags: approval1.8.1? → approval1.8.1+

Updated

11 years ago
Target Milestone: --- → mozilla1.8.1beta2
Whiteboard: [checkin needed (1.8 branch)]
(Assignee)

Comment 13

11 years ago
Checking in all.js;
/cvsroot/mozilla/modules/libpref/src/init/all.js,v  <--  all.js
new revision: 3.585.2.50; previous revision: 3.585.2.49
done

Checked into the 1.8.1 branch.
Keywords: fixed1.8.1
Whiteboard: [checkin needed (1.8 branch)]
Flags: blocking1.9?
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.