New issue
Advanced search Search tips

Issue 868129 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
vamshi.kommuri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Ability to avoid Popup Blocker when assigning eval to on innerHTML on user related DOM event

Reported by gosi...@gmail.com, Jul 26 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3503.0 Safari/537.36

Steps to reproduce the problem:
Use JSFiddle: https://jsfiddle.net/uqjcn0ma/

Or save and run code:

<!DOCTYPE html>
<html>
<body>
    <div id="ghost"></div>
    <p onclick="func()">Click me to spawn popup!</p>
    <script>
        function func() {
            document.getElementById("ghost").innerHTML = eval(`window.open("https://www.google.com", "_blank")`);
        }
    </script>
</body>
</html>

What is the expected behavior?
The popup should be blocked.

What went wrong?
Presumably there is a bug which causes that Popup Blocker fails to detect popup spawn in eval() assignment to 'innerHTML' invoked by user related DOM event.

It seems like all of mouse events are affected.

Technique to achieve this is hideous, but works. I was pushed to reproduce it due to harassment by those popups on various sites.

Did this work before? N/A 

Chrome version: 70.0.3503.0  Channel: canary
OS Version: 10.0
Flash Version:

Comment 1 by vamshi.kommuri@chromium.org, Jul 27

Labels: Needs-Triage-M70

Comment 2 by gosi...@gmail.com, Jul 27 

Few more remarks:
- All major browsers are affected, not only V8/Blink based
- Many previous versions and current canary/dev build of Chrome are affected
- Issue is OS independent

It seems also after more tests that assigning eval to "innerHTML" is not necessary.

Comment 3 by vamshi.kommuri@chromium.org, Jul 27

Cc: vamshi.kommuri@chromium.org
Components: -UI UI>Browser>PopupBlocker
Labels: Triaged-ET Target-70 M-70 FoundIn-70 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Thanks for filing the issue!

Able to reproduce the issue on reported chrome version 70.0.3503.0 and on the latest canary 70.0.3504.0 using Mac 10.13.1, Windows 10 and Ubuntu 14.04

As the issue is seen from M60(60.0.3112.0) considering it as Non-Regression and marking it as Untriaged.
Note: Tentatively adding component "UI>Browser>PopupBlocker" please change if this isn't apt.

Comment 4 by csharrison@chromium.org, Jul 30 

Reporter: can you clarify why this is a bug? Chrome's popup blocker should always allow popups if the user clicks, so you can just replace your HTML with something much simpler for the same effect:
<p onclick="window.open('https://www.google.com')">Click me to spawn popup!</p>

Sign in to add a comment