New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 702415 link

Starred by 2 users
Status: Duplicate
Merged: issue 394296
Owner: ----
Closed: Apr 2017
Cc:
kavvaru@chromium.org
l...@chromium.org
rsch...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug



Sign in to add a comment

Calling history.replaceState too quickly causes application-wide DoS

Reported by chandler...@gmail.com, Mar 16 2017 
Chrome Version       : 56.0.2924.87 (Official Build) (64-bit)
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
     Safari: OK 10.0.2 (12602.3.12.0.1)
    Firefox: FAIL 52.0 (64-bit)

What steps will reproduce the problem?
(1) Execute the following JavaScript:
for(let i = 0; i < 10000000; i++) {
  window.history.replaceState({}, null, location.href)
}

What is the expected result?
Lock up the current tab.

What happens instead?
Entire browser application is locked, can switch between tabs but not interact. Cannot open new tabs. Cannot kill offending tab via Chrome's Task Manager.

Please provide any additional information below. Attach a screenshot if
possible.

Firefox exhibits the same result, though eventually asking if you want to kill a long-running script, it remains locked after attempting to kill the script.

Safari displays the following warning in the developer console: SecurityError (DOM Exception 18): Attempt to use history.replaceState() more than 100 times per 30.000000 seconds

Comment 1 by kavvaru@chromium.org, Mar 17 2017

Cc: kavvaru@chromium.org
Components: Blink>JavaScript Platform>DevTools
Labels: -Pri-3 M-59 OS-Linux OS-Windows Pri-1
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on windows 7, Ubuntu 14.04 using chrome version 57.0.2987.110 and canary 59.0.3043.0 with the below steps

1. Executed the give code snippet in console
2. Observed browser locked.not able to perform any action 

this is observed till M50. But on M45 and M40 versions getting  error in console.Marking it as Untriaged to get more inputs from dev team.

Thanks,

Comment 2 by chenwilliam@chromium.org, Mar 17 2017

Cc: l...@chromium.org
It seems like this is more of a Blink issue but @luoe do you think it's worth putting in some kind of console messaging / throttling?

Comment 3 by einbinder@chromium.org, Mar 20 2017

Components: -Platform>DevTools
This happens regardless of whether devtools is open.

Comment 4 by hablich@chromium.org, Apr 5 2017

Cc: rsch...@chromium.org
Components: -Blink>JavaScript Blink
Not V8 related. Some popup should appear though and ask you to end script execution. rschoen was afaik thinking about a better solution for this in the past.

Comment 5 by schenney@chromium.org, Apr 5 2017

Components: -Blink UI>Browser>Navigation Blink>DOM
If we're locking up the whole browser there must be some browser interaction, so not all Blink. Hard to know the right component, trying DOM.

Comment 6 by csharrison@chromium.org, Apr 5 2017

Mergedinto: 394296
Status: Duplicate (was: Untriaged)
This is a long standing issue that many web platform APIs have that send IPCs to the browser process. kinuko@ has thought about possible solutions. Let's dupe to 394296

Sign in to add a comment