669045 - Pop-unders are still possible

Status: NEW

(Core :: DOM: Core & HTML, defect, P5)

Description

[Jesse Ruderman]

The patch in bug 369306 was supposed to make pop-unders impossible (turning them into pop-ups), but http://megadownload.net/ somehow has an onclick pop-under.

Comment 1

[Mounir Lamouri (:mounir)]

It seems like nsGlobalWindow::Focus() is called on the main window and canFocus is set to 0 but despite that, the window is still focused. I tried to return if canFocus is equal to 0 but that doesn't seem to change anything.

So, now, I wonder how the window could be focused without being a bug in the widget/ code. It would be interesting to check what's happening on Windows actually.

Comment 2

[Mounir Lamouri (:mounir)]

Attachment: testcase

Took me nearly the entire afternoon but I've finally found what's happening.
You can enjoy this self-explanatory testcase too ;)

Comment 3

[Mounir Lamouri (:mounir)]

Two interesting facts about this test case:
1. under.open() doesn't create a new tab in the popup window as expected but in the main window. Actually, Chrome has the same behavior, Safari creates a new window (and prevents the popunder) and Opera doesn't even create the second window as requested. Seems like IE8 and 9 does the same thing. Though, I didn't check that myself.
2. under.open() then alibi.close() creates a popunder but window.open()/alibi.close() or under.opener.open()/alibi.close() doesn't.

Comment 4

[Jesse Ruderman]

Awesome exploit. Makes perfect sense.

Comment 5

[Mounir Lamouri (:mounir)]

I had a second look at that bug...

Everything comes from here:
http://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#l4917

If we create a new tab with a parent window being a popup, we look at the last "main window" and add the tab to it and focus it explicitly. Weirdly, we don't do that if the new tab is directly added to the main window. That means these two codes are going to have a very different behavior:
var w = window.open(/* a popup */);
w.open(/* new tab */);
and:r
var w = window.open(/* a popup */);
window.open(/* new tab */);
or even:
var w = window.open(/* a popup */);
w.opener.open(/* new tab */);

Only the first case is going to focus the new tab and transform the popup to a popunder. According to hg blame, the reason is bug 445845.

I see three solutions:
1. We change the code of the focus manager to re-focus the previous focused window when the new tab is closed;
2. We revert the change from bug 448545 and hope we do not break too many legit behavior (note that calling window.close() would refocus the main window);
3. We do not allow more than one window.open() per event that allows window.open().

Solution 1 is very unlikely and the solution 2 seems risky.
The best solution, IMO, is the last one and might fix more annoying behavior (as far as I've tested we can currently open tons of windows from a click handlers).

Comment 6

[Gingerbread Man]

Filesonic and Wupload both have pop-unders that appear when the CAPTCHA is submitted (in both cases the advertiser is mgid.com). The pop-unders appear even though the value of dom.popup_allowed_events is empty and there are no enabled plug-ins (i.e. it's not coming from Flash content).

Could someone kindly have a look at those cases as well? It's very disappointing that the browser allows pop-unders when the user goes through so much trouble to ensure they're blocked.

Sample links:
http://www.filesonic.com/file/2671061331/
http://www.wupload.com/file/136440685/

Comment 7

[Firefox Bug Husbandry Bot]

https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.