Closed Bug 92955 Opened 23 years ago Closed 23 years ago

Disable window.open from onload and onunload

Categories

(Core :: DOM: Core & HTML, enhancement, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.5

People

(Reporter: rginda, Assigned: security-bugs)

References

(
URL
)

Details

(Whiteboard: fixinhand)

Attachments

(5 files)

proposed patch; take one
1.56 KB, patch
Details | Diff | Splinter Review
proposed patch; take two
3.11 KB, patch
Details | Diff | Splinter Review
proposed patch; take three
4.03 KB, patch
Details | Diff | Splinter Review
Patch take 4 - updated & added pref
4.33 KB, patch
Details | Diff | Splinter Review
Patch v5 with jst's suggestions.
4.40 KB, patch
Details | Diff | Splinter Review
Our disable window.open functionality is nice, but not very practical. With the threat of pop-unders looming, "don't allow domain X to window.open" will become less of an option, as more sites will have pop-up/unders. Maintaining the domain list will become a hassle, and some sites with pop-foo ads may have other, legitimate uses for window.open. My proposed solution is to add the ability to deny window.open when called from onload and onunload events. This "good enough" solution should eliminate most of the bogus uses of window.open, without breaking legitimate uses. My proposed implementation (patch coming up) involves searching the JS stack (via XPConnect) for the top JS frame before allowing the window.open to proceed. If the top JS frame is a function named "onload" or "onunload" (case insensitive match), bail out, otherwise continue as planned. The problems I see with this approach are: * Any script with a top level function named "onload" or "onunload" that is not attached to window, that also calls window.open, will be blocked. This false positive is in all probability rare, and should not cause problems in the real world. * Sites can get around this detection by using setTimeout (or, even worse, setInterval) which has no constant function name to match against. An alternative, and possibly cleaner solution would be to add a member to the window implementation that represents the current "in commonly abused function" counter. This counter, initially 0, would increment by one each time the window.onload, window.onunload, and setTimeout/Interval calls were about to be made, and decrement by one as these routines completed. Window.open could then verify that the counter was 0 before allowing the new window to be created. This method is much more robust, but involves some ideas that I'm not sure how to implement. Specifically, is it possible to hook onload, etc. in this way? I am under the impression that this code is all generic, and hooking 2 specific events (onload and onunload) is nontrivial.
Here is a proposed fix. It needs to be wrapped in a pref for sure, but I'd like some feedback on the basic idea before I spend too much time on this.
Status: NEW → ASSIGNED
Here are some related bugs: Bug 29346 "Prevent repeating pop-up windows" Bug 33448 "disable 'new window' when close box clicked (no window.open in onUnload)" Bug 64737 "Capabilities configurable by trigger"
New patch coming up. This patch hooks into HandleDOMEvent, in order maintain a mIsLoadComplete boolean member. mIsLoadComplete is PR_TRUE between the completion of window.onload and the start of window.onunload. This gives us the ability to block top level scripts, as well as onload and onunload, and eliminates the JS stack walk. The patch also blocks window.open if mRunningTimeout is non-null, to keep designers from getting around this stuff with a setTimeout() in onload.
This will probably block the majority of popups/popunders right now, until the advertisers get wise to it and/or we regain enough market share to make it worth their while. Then, they will open popups on mouseover, on focus, etc. In the meantime, I think this is a good idea. We'll need to make this controllable by pref, because Netscape will probably want it off. Also, we could potentially tie this into caps rather than hardcoding it into window.open. Caps could call CheckForAbusePoint() and use that as another piece of input to the security check for property access. That way, we or the users could block other properties besides window.open from running in the "abuse points" simply by adding a line to prefs. I can do this if people think there's a value to it. Thoughts?
The last patch was too conservative in checking for onload, it never saw chrome documents load, so you couldn't open new windows from chrome, like say, mailnews. I'm running with this patch in my day to day opt build, with no obvious problems yet. It'd be nice to integrate this into caps, but I don't know caps well enough to understand how it'd work. This patch adds CheckForAbusePoint() as a protected member of nsGlobalWindowImpl, how will caps call it?
I'm taking this over.
Assignee: rginda → mstoltz
Status: ASSIGNED → NEW
Target Milestone: --- → mozilla0.9.4
I think patch 4 is check-in-able. The question is, do we want it on by default in Mozilla? Needs reviews and approval.
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: patch
A couple of issues with the patch: - Any reason to not combine the check for aEvent->message being NS_PAGE_LOAD or NS_PAGE_UNLOAD into one place in stead of having them separated? (and yes, please do keep the braces around the if statement) - In GlobalWindowImpl::Open() the suggested changes are: + + /* If we're in a commonly abused state (top level script, running a timeout, + * or onload/onunload), and the preference is enabled, block the window.open(). + */ + nsCOMPtr<nsIPref> prefs(do_GetService(kPrefServiceCID)); + if (prefs) + { + PRBool blockOpenOnLoad = PR_FALSE; + prefs->GetBoolPref("privacy.block_open_during_load", &blockOpenOnLoad); + if (blockOpenOnLoad && CheckForAbusePoint()) { +#ifdef DEBUG + printf ("*** Blocking window.open.\n"); +#endif + return NS_OK; + } + } + This gets the pref service even if it's not necessarily needed, I would suggest this instead: + + /* If we're in a commonly abused state (top level script, running a + * timeout, or onload/onunload), and the preference is enabled, block + * the window.open(). + */ + if (CheckForAbusePoint()) { + nsCOMPtr<nsIPref> prefs(do_GetService(kPrefServiceCID)); + + if (prefs) { + PRBool blockOpenOnLoad = PR_FALSE; + prefs->GetBoolPref("privacy.block_open_during_load", &blockOpenOnLoad); + + if (blockOpenOnLoad) { +#ifdef DEBUG + printf ("*** Blocking window.open.\n"); +#endif + + *_retval = nsnull; + + return NS_OK; + } + } + Especially note the setting of *_retval in the early return case, this is important. And, a few nits on top of that: - Both 4 and 2 space indentation used in GlobalWindowImpl::CheckForAbusePoint(), use 2 space indentation in this file. - Bad indentation in GlobalWindowImpl::Open(), but that's fixed in my suggested change above. - mIsLoadComplete could maybe be renamed to mIsDocumentLoaded to make the name match closer with what it's actually used for. sr=jst with the above changes.
shaver-nit: there's nothing privacy-related here, that I can think of. Let's not dilute the term any more than we have to (or have already: c.f. the form manager).
Sure it's privacy-related. Pop-up ads are a violation of my privacy (in that they are annoying, not that they steal personal info). Can you suggest another term? It's not "security."
"Privacy" in the internet context almost always refers to personal information: none of the interesting legislation or lobbying is really concerned with "annoying things on the internet", other than spam -- and there it's because an email address is PII. I think we'd do well to keep our "privacy" label applied only to personal information. (Aside: Why isn't it OK to say it's "securing" the browser against popups, but it's OK to say that it's keeping you "private" against popups? If this isn't security, how are Window.alert controls in our configurable "security" policies security? I don't get it.) Anyway, it's a site capability. Why isn't this in with the rest of the configurable-"security" stuff, like general access to Window.open, &c.? We could either have a different capability user_pref("capability.policy.default.Window.open_during_load", "noAccess") or a different "security level" value user_pref("capability.policy.default.Window.open", "notDuringLoad") . I think either would fit better with our current what-can-this-site-do-to-my-browser? story.
I would argue that this is a security issue, after all. Denial of Service attacks fall in this category. Opening pop-up windows ad infinitum crashed a lot of browsers. This also may leads to dataloss.
> If this isn't > security, how are Window.alert controls in our configurable "security" policies > security? I don't get it. They're not security. They're just a useful side effect of the security manager. We've had this discussion, remember? I'd rather see "content control" stuff handled seaprately from security, at least on the frontend. > Anyway, it's a site capability. Why isn't this in with the rest of the > configurable-"security" stuff Ideally it would be. In fact, I plan to integrate this with the configurable policies stuff, but we're obviously out of time in this milestone and I wanted to get a basic functionality into this milestone because I think our users will really appreciate it.
I changed the pref name to "dom.disable_open_during_load" so we're not diluting the meaning of 'privacy.' Eventually I will integrate this into the "capability.policy" functionality but there's no time now. Johnny, as to your first point, it looks like the check for NS_PAGE_UNLOAD needs to come before the event handler is called, and NS_PAGE_LOAD afterwards.
Whiteboard: patch → fixinhand
Sweet. Thanks, Mitch. (I guess we'll just leave this bug open, and mutate the summary a little bit when you check in?)
r=harishd
Mitch, yeah, doh, I should've realized...
a=brendan@mozilla.org on behalf of drivers, for 0.9.4 checkin. /be
The fix is checked in. Bug 64737 will track continuing efforts to generalize this mechanism.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Target Milestone: mozilla0.9.4 → mozilla0.9.5
just for the record: What is the pref to disable popups on window close?
The pref is dom.disable_open_during_load. It's Boolean (1 or 0). I got this fromm the text of the latest patch.
Actually, the value must be true or false, not 1 or 0.
*** Bug 33448 has been marked as a duplicate of this bug. ***
Since as others have noted, once advertisers get wise to this they'll do something else like opening a window on focus, why not just have an option to ONLY allow window.open when clicked. That's the only time we ought to want it, anything else is just annoying and rife with abuse. Is this fix general enough that an enhancement request could be made to add that as another option? Or perhaps there is another similar bug already opened? I looked but wasn't able to find one.
In embedding builds, this patch seems to be a bit over zealous, and disables all popup windows. Steps to recreate: Add the line user_pref("dom.disable_open_during_load", true); to prefs.js in you mfcembed profile directory Launch mfcembed go to www.collegeclub.com click the "Log On" link Expected results: A popup window is created to let the user enter a username and password Actual results: No popup window is created.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Slice, bug 64737. Jeff, embedding may be out of luck on this one but I'll take a look.
Status: REOPENED → ASSIGNED
Why is this still open? Re: Jeff's comment on embeded builds... not seeing that on linux 2001091305... if it's still happening on embeded, file a seperate bug.
This seems to be working on windows embedding now, too.
Marking Fixed again based on comments. If this is still broken in embedding, file a separate bug. I'm not sure that embedding wants this (at least not the AOL embeddors; maybe others do).
Status: ASSIGNED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
Verified on 2001-09-20-Branch build on WinNT Followed following steps and the pop up window is not opened 1. Added line user_pref("dom.disable_open_during_load", true); to prefs.js file. 2. Loaded www.collegeclub.com and clicked on the LogOn button 3. Nothing happens.
Status: RESOLVED → VERIFIED
Blocks: popups
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: