infinity alert will force you to close the navigator with the CTRL+ALT+DELETE

RESOLVED DUPLICATE of bug 432687

Status

()

Firefox
Security
RESOLVED DUPLICATE of bug 432687
11 years ago
3 years ago

People

(Reporter: David Pelletier, Unassigned)

Tracking

unspecified
x86
All
Points:
---
Bug Flags:
blocking-firefox3.6 -

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Sometime i pratice my capabilities to make a website and i download in same time, but when i fall in infinity loop who launch a alert(JavaScript) the alerts paralyses my navigator. So i need to close him with force and it's close my download manager and i'm not always can resume a download. So i'm have a idea, and i have build a version (little but you can see what i think) who can stop alert after 30 call of same function call. after 30 call, the function is place in a list called blacklistfunction and if a function name is in the liste, the alert don't be display. if you want you can continue to display the alert after 30 call, because after 30 launch a confirm box (confirm in JavaScript) who ask if you want to stop the caller function or if you want to continue.


Reproducible: Always

Steps to Reproduce:
because if you fall in infinity loop of alert (normal) you can't close the application. Because you press on Ok and you don't have enough time to close the window before an another alert will pop. And when you kill the navigator( whit the CTRL+ALT+DELETE). you restart the session and the window re-start to pop the alert if you take the below example:
<html>
<body onload="while(0==0){alert('hello world!');}">
</body>
</html>

you are obliged to close again and to begin a new session.


Expected Results:  
my security block the alert but not the script, you integrated protection will block the script, but a infinity alert loop can't be block we you integrated protection. 

contact-me if you want to see a example and my little version of my alert2 (alert version 2.0) ;)

my alert2 work is free, but it's not completely finish, because i want to build a manager who keep the blocked function for after you cant enabled again the blocked (or disabled) function.
(Reporter)

Comment 1

11 years ago
secure alert infinity loop

When we arrive on a webpage with an infinity loop who launch a alert(JavaScript) 
the alerts paralyses firefox(the only thing possible to do is to click "ok"). So, we need to kill it. when reopening firefox we can chose to reopen the saved tab but it's also reopening the infinity alert loop page, so the only we is to restart without saved tab and we loose were we were. the other thing is that if we where downloading we cannot always resume the download (which is quiet anoying).

I had the idea of blocking a certain alert call after X call and then asking the user if he want to continue to see this alert or not.


I have created a version (little but you can see what I think) who can stop the alert after 30 call of same function call. After the 30th call, the function is place in a blacklist and isn't displayed anymore. if you want you can continue to display the alert after the 30th call, because before black listing it a confirm box (confirm in JavaScript) ask if you want to stop the caller function or if you want to continue.
(Reporter)

Comment 2

11 years ago
if you want to see my script in action go to :
http://davilinkweb.chezmeme.net/JavaScriptBugFirefox/alert2.html
and in bonus a example a firefox crashes with a normal "alert" go to :
and go to http://davilinkweb.chezmeme.net/JavaScriptBugFirefox/alert.html
(Reporter)

Updated

11 years ago
OS: Windows XP → All

Comment 5

10 years ago
This is a huge security problem.  It allows any webpage with such a simple, and rather common looped alert box (and probably input boxes too) to completely destroy your entire browsing experience.  You can't close the window/tab without completely closing Firefox through Task Manager, which of course is not ideal for multiple reasons.  It kills your session, and if you restore the session the next time you start Firefox, you'll be back at the same problem.

This makes Firefox work as stupidly as Internet Explorer.  At least in Opera, you can disable the running of any further scripts on that page.  That's not a completely ideal solution either, but it is a great start.  You should also be able to just "reach behind" the alert box and close the offending window/tab.  Other programs do this sort of thing all the time.  Just because the alert window should always display in front of the window doesn't mean that it should maintain absolute control.

Comment 6

9 years ago
This bug must be priority. I put forward to add an expander "More options" on alert/confirm/prompt dialogs. And display in this expander a check-box "Enable javascript on this page" such as Opera web browser.

Comment 7

9 years ago
Or a simple "Stop alerts on this page" checkbox should be enough.
If the checkbox has been checked, further alert()/confirm()/prompt() will raise an exception to the script. Not as good as stoping the scripts, but should be easy to implement for the time being.

Comment 8

9 years ago
There is an AlertCheck extension (https://addons.mozilla.org/en-US/firefox/addon/13176) that tries to implement such a checkbox on all JavaScript windows. But it should be in Firefox by default, really.

Confirmation of the bug is simple. Just insert the following string into address bar and press Enter:

javascript: while(1) {alert("Message");}

You will see those infinite alerts with no chance to escape. Very bad user experience.

Updated

9 years ago
Flags: blocking1.9.0.16?
Flags: blocking-firefox3.6?
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 432687
Flags: blocking1.9.0.16?
Would love to have a fix for this bug (or the one it's dup'd against), but we won't hold the release for this. It's not a regression, has a work-around, and tends to be self-limiting, since people don't willingly return to sites that behave badly in this way.
Flags: blocking-firefox3.6? → blocking-firefox3.6-
You need to log in before you can comment on or make changes to this bug.