Closed Bug 66797 Opened 24 years ago Closed 24 years ago

Clicking on a window.close() link closes the window without asking user for confirmation

Categories

(SeaMonkey :: General, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 32571

People

(Reporter: nrussell, Assigned: asa)

References

()

Details

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; 0.7) Gecko/20010109
BuildID:    2001010901

I think the summary says it all on this one.  I have only been able to test this
under Win98 SE, but Internet Exploiter prompts before closing.

My test page, as can be seen, uses extremely simple, hand-written HTML, so I
sincerely doubt that any other aspect of the page is to blame.

Also, it seems to happen that Mozilla does not always exit when the only open
window is closed by this means; thus, it may be necessary to use CTRL-ALT-DEL or
a third party utility to kill off Mozilla before another copy can be started.

Since I don't know much HTML, I have not tried creating a page with an
auto-redirect to that javascript command, but if such is possible it would be an
obvious exploit.

Reproducible: Always
Steps to Reproduce:
1.Go to my test page, mentioned at the top of this bug report.
2.Click on the link.
3.

Actual Results:  Window closed instantly, without prompting for confirmation.

Expected Results:  Prompt the user.
Marking NEW. This is not implemented yet.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 98 → All
Hardware: PC → All
If that's going to be implemented, then I like to have a pref setting (with of
without UI) for switching it on and off. 
BTW this seems to be an [RFE], right?
First of all, I don't know what an RFE is.

Second, IMHO, the best idea would be to allow javascript to close windows that
were created by javascript, such as a pop-up poll.  
Nathan, RFE stands for Request For Enhancement. Mozilla does not support this
function yet, so that makes it an RFE. RFE's are marked in the summary with
[REF] at start, and you might do that also.

I don't know what the reason is not to implement this feature, but maybe web
authors don't like this! I'm sure someone else can answer that question.

note: I'm not so happy with the fact that web authors get a free hand in closing
the main browser window!

>Also, it seems to happen that Mozilla does not always exit when the only open
>window is closed by this means; thus, it may be necessary to use CTRL-ALT-DEL or
>a third party utility to kill off Mozilla before another copy can be started.

Sorry but I can't confirm that with build 20010122505 on WinNT4.
<offtopic>
Actually RFE's are marked as "Severity enhancement". [RFE] in the summary is
just a plain bad idea IMHO. Please avoid it.
</offtopic>

Brendan, do you think we should display this kind of alert if the user is
closing a javascript dialog?
Thank you very much Håkan, you are correct :) 

Nathan, I'm learning day by day. To be correct, the Severity should be set to
"enhancement", but other people on Bugzilla like to have the text [RFE] in the
summary, to make it more visible for them, and I agree.
I'm sorry.  I set it as a regular bug, simply because I felt that it was a
pretty severe risk - especially since I can think of meta redirects, mouseover
images and half a dozen other exploits.  I should note that I haven't actually
tried any of those, due to my limited knowledge of JS, but I know of no sure
reason they wouldn't work.  Changing to 'enhancement'.  IMHO - I'm only a
college freshman - sites should be allowed to close javascript windows, e.g.
polls and popup ads.  Any other solution, say, having to confirm every time one
clicked 'okay' in a popup dialogue, would simply be too annoying.
Severity: normal → enhancement
There's already a javascript security system. Ideally it would allow Deny, 
Prompt, Allow for each thing it controls. I suspect we already support this.
Timeless, you mean we support it but haven't enabled it?
Assignee: rogerl → asa
Component: Javascript Engine → Browser-General
QA Contact: pschwartau → doronr
Browser, not engine. Reassigning to Browser-General for disposition -
Sorry for being lazy last night...

I have written a meta redirect exploit, which is at
http://www.acsu.buffalo.edu/~nrussell/crashmoz.html.  Note that this is the URL
of the <b>actual page</b> containing the exploit.

There is no way to avoid this type of link short of viewing the page source
before visiting the page.  
i think this is a dupe of bug 29346. mstoltz: please verify if that bug can 
indeed solve the original complaint of this bug.

Nathan: this bug should not be a crasher.  There are other bugs about us 
crashing on window close, I'm sure you can find them.

*** This bug has been marked as a duplicate of 29346 ***
Status: NEW → RESOLVED
Closed: 24 years ago
QA Contact: doronr → mstoltz
Resolution: --- → DUPLICATE
I don't think this is a dup of the pop-up window bug.  It might be a dup of bug 
36050 or bug 32571.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Jesse is correct, 32571 describes this issue. I agree that a script should be
restricted in what windows it can close. This is on my list.

*** This bug has been marked as a duplicate of 32571 ***
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → DUPLICATE
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.