Closed
Bug 420568
Opened 16 years ago
Closed 16 years ago
Malicious server can hang browser via synchronous XMLHttpRequest request
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
DUPLICATE
of bug 190313
People
(Reporter: cwillu, Unassigned)
Details
(Keywords: hang, Whiteboard: [sg:nse dos])
Attachments
(1 file)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b3) Gecko/2008021416 Firefox/3.0b3
Build Identifier: '''Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6''', '''Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12'''
Issuing a synchronous XMLHttpRequest to a 'streaming' resource that doesn't actually send data nor close the connection will hang all browser windows.
Reproducible: Always
Steps to Reproduce:
1. Create and host a page that issues a synchronous XMLHttpRequest to a particular url in the onload handler with a timeout.
2. Make the above url backed by a script which doesn't send a content-length header (streaming response), and which doesn't close the connection.
3. Visit the page create in (1.)
Actual Results:
All browser windows (including chatzilla windows, etc) hang with no gui updates as long as the server keeps the connection open. The user has no means of interrupting the connection other than killing the browser window via os specific means.
If the server closes the connection before the user kills the browser, then the browser regains full functionality: the ui unfreezes and the user can continue as normal.
Expected Results:
The ui should remain responsive. Ideally, the escape key would break the connection, but regardless, the connection should not hold the browser captive.
This occurs under linux and windows machines, although it _doesn't_ occur under firefox 3beta3.
The specific code I'm using is included, although the server side code won't be directly usable. The core piece of html seems to be:
function hang() {
var request = new XMLHttpRequest();
request.open("get", "hangUrl", false);
request.send(null);
}
window.addEventListener('load', function() {setTimeout('hang()', 10)}, false);
|
Reporter | |
Comment 1•16 years ago
|
||
I'll post a better example, but the idea should be visible even if the effect isn't (depends on server side).
|
||
Comment 2•16 years ago
|
||
Duplicate of bug 190313? Reporter, does it work all right for you on trunk?
|
|
Reporter | |
Comment 3•16 years ago
|
||
'''Server side code
This won't be directly useable, but the intent should be visible. Still playing with the code, the single byte trickle may not be necessary.
'''
def waitForChange(self, obj, path, hash=None):
for interval in range(60 * 60):
time.sleep(10)
yield ' '|
|
Reporter | |
Comment 4•16 years ago
|
||
Martijn, it works fine in firefox 3 beta 3, I haven't tried a trunk 2.whatever build if that's what you mean.
|
|
Reporter | |
Comment 5•16 years ago
|
||
I have a test server running at http://cwillu.com:8080/ . That url should expose the problem, and I'll try to leave it up for a few hours.
|
|
||
Comment 6•16 years ago
|
||
(In reply to comment #4) > Martijn, it works fine in firefox 3 beta 3, I haven't tried a trunk 2.whatever > build if that's what you mean. Ok, thanks for testing, yeah, that's what I meant. So I think this is indeed a duplicate of bug 190313. It was something that is fixed for Firefox 3.
|
|
Reporter | |
Comment 7•16 years ago
|
||
Looks like the trickle mentioned above isn't necessary (not terribly suprising).
|
||
Comment 8•16 years ago
|
||
I can't realistically see anyone backporting the Thread Manager redesign (bug 326273) to Firefox 2.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Keywords: hang
Resolution: --- → DUPLICATE
Whiteboard: [sg:nse dos]
You need to log in
before you can comment on or make changes to this bug.
Description
•