Closed Bug 62168 Opened 25 years ago Closed 24 years ago

script can't close windows from a different host

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.1

People

(Reporter: security-bugs, Assigned: security-bugs)

References

Details

Attempting to call close() on a window object containing a page from a different host as the calling script throws a DOM access denied exception. Scripts should be able to close any window that was opened by script (enforcing the 'opened by script' part is a different bug). The code is: w=window.open("http://www.netscape.com","mywin"); setTimeout("w.close()", 4000); The security manager does a check on script globals (presumably on 'w') which fails because w is seen as belonging to the www.netscape.com host, while the calling script is coming from somewhere else. This seems incorrect. Strangely, the following code works: w=window.open("http://www.netscape.com","mywin"); setTimeout("w.location = 'http://www.mozilla.org'", 4000); In this case, the DOM never does a security check on access to 'w,' but only for access to 'location,' which is writeable by anyone.
cc'ing jst.
Status: NEW → ASSIGNED
*** Bug 36050 has been marked as a duplicate of this bug. ***
Mass changing milestones to Moz0.9.1. Many of these bugs are dependent on the XPConnected DOM and its associated security UI changes.
Target Milestone: --- → mozilla0.9.1
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Okay, this seems to be working now. Marking VERIFIED FIXED on: -MacOS91 2001-06-01-08-trunk -Win98SE 2001-06-01-06-trunk -LinRH62 2001-06-01-08-trunk
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.