Firefox DoS - tight JS loop in onload handler




10 years ago
9 years ago


(Reporter: Brade, Unassigned)




Firefox Tracking Flags

(Not tracked)


(Whiteboard: DUPEME)


(1 attachment)



10 years ago
Created attachment 324451 [details]
Small HTML page that has tight JS loop (should eventually stop)

I came across an evil web page while developing and testing a new extension.  This evil page has a variety of attacks including Denial of Service for the browser.  I've found ways to address most of the attacks but I'm not sure how to address a tight JS loop.  Timers are not fired, the page does not complete loading, and Firefox does not display the "A script on this page may be busy..." prompt.

All Platforms.  Tested on Linux, Mac, Windows; Firefox and Firefox 3rc2.

Ideally I could add a hook that would allow me to detect this situation and kill the script, close the page, or load a different URL.  Better yet, the JS engine would just detect that it is in an infinite loop and break itself out of it or at least allow other code to run so the Firefox UI can update itself, etc.

Comment 1

10 years ago
Client hangs are not considered "denial of service bugs", and they're a dime a
dozen, so I'm making this bug public.

This is probably a dup of an existing bug report, such as bug 380806.  And I think you'll find that without the innerHTML-setting inside the loop, you get a slow-script dialog.
Group: security
This is in any event not a JS engine bug. SpiderMonkey monitors loops (both interpreted and in costly native methods) and calls the DOM to measure time and put up a slow script dialog when too much wall-clock time has passed.

Assignee: general → nobody
Component: JavaScript Engine → DOM
QA Contact: general → general
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.