Closed
Bug 410735
Opened 17 years ago
Closed 17 years ago
Malicious JS confirmation/alert box in infinite loop will render Firefox unusable, must be killed, and session can't be restored easily
Categories
(Firefox :: General, defect)
Tracking
()
People
(Reporter: hmpxrii, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010304 Minefield/3.0b3pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010304 Minefield/3.0b3pre Any page with a script that displays a confirmation or alert box in an infinite loop, will make it impossible for the user to navigate to another page or to close the window, since the confirmation/alert box will always steal focus and never go away. It is also impossible to switch to other tabs in the same window. This is especially problematic if you have many tabs open, since the session can't easily be restored without loading the same page again. A malicious page could also keep loading offensive material and/or open pop-up windows without allowing the user to stop the script by closing the tab. Reproducible: Always Steps to Reproduce: 1. Make a page with the following code: <html> <body> <script> while(true) alert("You will now have to kill your browser."); </script> </body> </html> 2. Navigate to this page. You will now not be able to close the current tab or window, or access any other tabs in the current window. Actual Results: I was unable to close the window or navigate to any other page. Expected Results: I expect to be able to close any page that tries to run annoying scripts (or any other page, for that matter). The problem depends slightly on what OS/window manager you are using. For example, using twm on Linux, it is possible to resolve it by closing the current tab with the keyboard shortcut (ctrl-W), but not by using the mouse. Using Gnome, Windows or Mac OS, the application must be killed. This should be resolved by replacing the confirmation/alert boxes with a widget that does not steal focus from the main application.
Comment 1•17 years ago
|
||
Dup of bug 61098 or bug 59314.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•