All users were logged out of Bugzilla on October 13th, 2018
Created attachment 497886 [details] testcase To reproduce: Click a link with target=_blank. Result: The URL bar in the new tab shows about:blank until the server responds. This is either janky or datalossy, depending on how quickly the server responds. Expected: The URL bar in the new tab should immediately show the URL to be loaded.
Created attachment 497890 [details] testcase with a mix of fast and slow sites
Attachment #497886 - Attachment is obsolete: true
Note that showing the URL before the content loads in a new window is dangerous if the attacker can get handle of that window, and if about:blank is same-origin with the opener. You fixed CVE-2010-1206 not long ago: http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html Even if stopping the navigation is not possible, it's still a rather bad design to show malicious content while URL bar suggests a different origin and the throbber is spinning. So you should probably either limit this logic to cases where attacker can't get window handle (e.g., target=_blank); or make SOP checks fail against about:blank in this navigation scenario.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 610357
You need to log in before you can comment on or make changes to this bug.