New issue
Advanced search Search tips

Issue 844423 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
jochen@chromium.org
tsepez@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Popup blocker doesn't prevent endless flood of popups

Reported by iamsagit...@gmail.com, May 18 2018 
<b>Chrome Version       : <Copy from: 'about:version'></b>
URLs (if applicable) : https://codepen.io/IamSagittare/pen/rvoOeB (location to find the script used)
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari:OK
    Firefox:FAIL
    IE/Edge:OK

What steps will reproduce the problem?
1. Run the script with popups NOT blocked

What is the expected result?
XSS prevention blocks opened tabs from opening more tabs.

What happens instead of that?
Endless tabs open in Chrome.

Please provide any additional information below. Attach a screenshot if
possible.
The code does not run in Edge, it gets blocked. In FireFox it opens about 30 tabs and then cancels the script.
In Chrome the script does not run if popups are blocked. If the "button" (which is supposed to only activate if clicked) is removed from the script, the opened tabs do not open more tabs.
The script is attached in a RAR file for convenience.
code-break.rar
650 bytes Download

Comment 1 by rsleevi@chromium.org, May 21 2018

Cc: jochen@chromium.org
Components: UI>Browser>PopupBlocker Blink>SecurityFeature>XSSAuditor
jochen: Noting the repro only triggers with popups not blocked, not sure who best to dig in on this.

Comment 2 by mkwst@chromium.org, May 22 2018

Cc: tsepez@chromium.org
Status: Untriaged (was: Unconfirmed)
+tsepez@ for XSS Auditor.

Comment 3 by viswa.karala@chromium.org, May 22 2018

Labels: -Pri-3 M-68 Needs-Milestone Triaged-ET FoundIn-68 Target-68 OS-Linux OS-Mac Pri-2
Able to reproduce the issue on chrome stable# 66.0.3359.181 and on latest chrome# 68.0.3436.0 using Windows-10, Ubuntu 14.04 and Mac 10.12.6. As the issue is seen from M-60(60.0.3112.0), hence considering this as Non-Regression issue.

Thanks!

Comment 4 by elawrence@chromium.org, May 22 2018

Components: -Blink>SecurityFeature>XSSAuditor
Summary: Popup blocker doesn't prevent endless flood of popups (was: Simple script avoids XSS prevention.)
This repro has nothing to do with XSS. It simply notes that a new window, if allowed, can itself create a new window if the original window simulates a click in the new window. 

I'm pretty sure this has been filed before.

Sign in to add a comment