There is nothing security-sensitive in this report. If you've already allowed bad script onto your domain, any subsequent protections you have are basically moot. I don't know why we have a window.stop function, but I don't think there's any security reason to remove the API.
Component: Untriaged → DOM
Product: Firefox → Core
Hello, We have seen that more and more malware is using this function (window.stop()). The trojan injects script to our webpage with window.stop() at the beginning, it essentially gets “green SSL verified bar” and this is what the criminals want. The problem is that the function is quite defuse, and we have figure out that the browser is stopping all threads BUT not the own thread, so the malware (is always running first) can stop all script/content from us, and still run the own script. So one question is why stop part of scripts and note you self.
We have a stop() function because Netscape 2 or whatever added it, then pages used it and then everyone has to support it. The spec is at http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#dom-window-stop and as far as I know we match it fairly well.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
As I mentioned in email, that function does not "stop all scripts". It does prevent the loading of additional scripts, which might appear to be the same depending on when the malicious code runs. As I also said in email, and as bsmedberg points out, having arbitrary code running in your page's context is not really a problem you can effectively mitigate by just changing stop(), so it's not useful to just focus on that. To ensure security, you need to avoid the malicious code from ever running to begin with. At this point window.stop() is a longstanding part of the web platform with some valid use cases, so we can't just remove it without very good justification, and I don't see any such justification here.
Summary: window.stop, defus behavioral → window.stop can be abused when a site is vulnerable to XSS
You need to log in before you can comment on or make changes to this bug.