Closed Bug 450292 Opened 16 years ago Closed 16 years ago

Block window move/resize if not the active tab

Categories

(Firefox :: Tabbed Browser, defect)

Product:
Firefox
Component:
Tabbed Browser
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 186708

People

(Reporter: rafelivgi, Unassigned)

References

(Blocks 1 open bug)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; he; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; he; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Recently I have been making a research and visited a lot of websites in different tabs. Suddenly firefox began jumping on the screen infinitly, I began checking each windows until I found this: {script type="text/javascript"} window.onerror = function() {return true;}; setInterval(function(){ moveBy(1,-1); },10) setInterval(function(){ moveBy(-1,1); },11) {/script} Now I realized how SAD it is that 1 website out of 30 open website tabs is almost making a denial of service attack on my surf! as a security researcher I must say I can see the vulnerabilities followed by this design. I believe javascript code must no be executing while the tab is focused out and if it must, at least the access to the "window." functions such as moveTo,resizeTo,moveBy... should not be accessible at that time. Reproducible: Always Steps to Reproduce: 1. Open a few different domains in different tabs 2. Surf to a domain containing the following script code {script type="text/javascript"} window.onerror = function() {return true;}; setInterval(function(){ moveBy(1,-1); },10) setInterval(function(){ moveBy(-1,1); },11) {/script} 3. Suffer :) Actual Results: The entire browser window is jumping infinitly! Expected Results: The window must not move while inside any other tab different than the one with the evil javascript. You can see a live sample of this script on http://mario.heideri.ch/
There is an option to disable that ability globally in preferences (Content tab, "Advanced" button near the Javascript setting). It's fairly popular, and we even tried to make that the default setting in Firefox 3, but we broke some major sites and had to back off. read the sad tale in bug 412862 Similar suggestions in bug 186708 (don't move/resize if toolbars-that is, not a popup) and bug 144069 (don't move/resize if other tabs). Blocking if not active is another approach but doesn't really limit the abuse potential -- sites that abuse this usually start when you first open it, they don't wait for you to move to some other tab.
Blocks: eviltraps
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Summary: Design flaw in javascript access to "window." functions while tab is not focused → Block window move/resize if not the active tab
You need to log in before you can comment on or make changes to this bug.