Chrome self.close()
Reported by
mishra.d...@gmail.com,
Feb 7 2017
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Steps to reproduce the problem: The chrome browser fails to sanitize a check when self.close() function is called in number of dynamically generated events. The function is called in a suppressed manner and kills the parent window directly by default. What is the expected behavior? The parent tab or browser should not get close. This security issue is a result of design flaw in the browser.Scripts must not close windows that were not opened by script,if script specific code is designed.There must be a parent window confirmation check prior to close of window. Other Browser: IE : Gives a popup Mozilla: Doesn't works. What went wrong? Fails to Sanitize self.close() or similar <html><body> <script> self.close(); </script> </body></html> Did this work before? N/A Chrome version: 55.0.2883.87 (Official Build) m (64-bit) Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 24.0 r0
,
Feb 9 2017
,
Feb 14 2017
Able to reproduce the issue on Windows 7, Ubuntu 14.04 using stable#56.0.2924.87 , Canary#58.0.3011.0 & reported version-55.0.2883.87 as per the given html file.On Mac 10.12.2-chrome browser is getting closed when we ran .html file. No close confirmation popup box displayed on all the above mentioned versions & same the issue observed from M30 builds onwards.Hence marking this issue as 'Untriaged'. Please find the attached screencast for reference. Thanks.
,
Feb 14 2017
,
Feb 14 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by elawrence@chromium.org
, Feb 7 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug