Closed
Bug 619472
Opened 14 years ago
Closed 14 years ago
When opening a target=_blank link, "about:blank" appears in URL bar until page loads
Categories
(Firefox :: Tabbed Browser, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 610357
People
(Reporter: jruderman, Unassigned)
Details
(Keywords: dataloss, ux-implementation-level)
Attachments
(1 file, 1 obsolete file)
379 bytes,
text/html
|
Details |
To reproduce: Click a link with target=_blank.
Result: The URL bar in the new tab shows about:blank until the server responds. This is either janky or datalossy, depending on how quickly the server responds.
Expected: The URL bar in the new tab should immediately show the URL to be loaded.
Reporter | ||
Comment 1•14 years ago
|
||
Attachment #497886 -
Attachment is obsolete: true
Comment 2•14 years ago
|
||
Note that showing the URL before the content loads in a new window is dangerous if the attacker can get handle of that window, and if about:blank is same-origin with the opener. You fixed CVE-2010-1206 not long ago:
http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html
Even if stopping the navigation is not possible, it's still a rather bad design to show malicious content while URL bar suggests a different origin and the throbber is spinning.
So you should probably either limit this logic to cases where attacker can't get window handle (e.g., target=_blank); or make SOP checks fail against about:blank in this navigation scenario.
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Updated•14 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•