Closed Bug 909020 Opened 11 years ago Closed 11 years ago

Disable onbeforeunload questionbox and/or restrict amount

Categories

(Firefox :: Untriaged, defect)

22 Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 636374

People

(Reporter: e7online, Unassigned)

Details

(Keywords: csectype-dos, sec-want)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 SeaMonkey/2.19 (Beta/Release)
Build ID: 20130628210052

Steps to reproduce:

Got a popup with following http url (don't open on it with active Javascript):
polizei.de.id657546456-3999456674.r7034.com

It contains 150x the following snippet (guess for other browsers):

<iframe srcdoc="<script>window.onbeforeunload = function(env){return 'Ihr Browser hat gesperrt. Alle PC-DATEN WERDEN festgehalten und Strafverfahren gegen Sie eingeleitet, wenn eine Geldbuße nicht bezahlt werden.';}</script>" src="de/close.php"></iframe>

Also there's an return false; function assigned to every iframe.

var strongs = document.getElementsByTagName("iframe");
for (var i=strongs.length - 1; i>=0; i--){
	var strong = strongs[i];
	var acceptor = strong.parentNode;
	while(strong.childNodes.length){
	var child = strong.childNodes[0];
		strong.removeChild(child);
		acceptor.insertBefore(child, strong);
	};
	acceptor.removeChild(strong);
};

Browser is asking ~ 150 times if I'm sure I want to close that window. And there's a little bit other different stuff like trying to disable CTRL+U, but nothing "special".

Would be great to have a possibility to restrict the number of "Are you sure to close"-messages allowed or the same checkbox as for normal alerts ("Prevent page from opening ...")

Further idea: Add functionality to disable that question for windows opened by Javascript completely.
Blocks: eviltraps
Here's another one which uses this trick to try and force a user to download a fake Firefox update:
loansautos.com/

We should limit the number of onbeforeunload handlers that fire per top-level window to something like 3.

Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csec-dos, sec-want
same here. A site has 100 iframes which all have a onbeforeunload and unload event listeners and the leave page dialog appears 100 times. (Saw it on a scam website claiming to be the police and u need to pay a fine for the porn you have watched).
Restricting the number of onbeforeunload dialogs from a single page is bug 636374.  (Disabling onbeforeunload completely would be bug 578828 or bug 636905.)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.