Security: Synchronous OnBeforeUnload XMLHttpRequest
Reported by
peter.we...@gmail.com,
Aug 8
|
|||||
Issue descriptionI have filed this bug under Security because although it affects Chrome's speed, I believe it can be purposefully exploited for malicious purposes and could result in the user's experience being downgraded. VULNERABILITY DETAILS The bug is exploited by creating an XMLHttpRequest in the window.onbeforeunload function with JavaScript. If the request is set to synchronous (as opposed to asynchronous) the page will not close or navigate to a new page until the request is complete. While this is a good feature for many sites, I believe a small time limit must be added (eg. 3-5 seconds), as if a large or non-existent resource is requested, the page will not close for up to 20 seconds which could cause major inconvenience for a user. Additionally, if used by an advertiser in an unwanted popup, users would not be able to immediately close the new window. Additionally if a refresh of the page occurs, the tab is rendered completely unusable and cannot be closed for an excessive period of time. VERSION Chrome Version: 68.0.3440.84 stable Operating System: Windows 10 (Version 1709, Build 16299.547) Please note, this bug affects many different operating systems and browsers so I do not believe it is specific to my environment. REPRODUCTION CASE I have attached a sample HTML page with JavaScript demonstrating the exploit. I find the time the page is stuck open generally increases if other tabs are open, or if the user is navigating to another page (as opposed to closing the tab or window). The worst case scenario is that the user refreshes the page and then tries to navigate away/close the tab. To simulate this and further demonstrate the danger of this bug, I have added some JavaScript to refresh the page once without any user interaction (using localStorage to prevent a refresh loop). I hope this bug report is of use to whomever it may concern, and as previously stated I believe while synchronous requests before a page unloads are a useful feature, there should be some sort of limit to how long they can take. Thanks, Peter
,
Aug 9
I think the behavior is to be removed: https://groups.google.com/a/chromium.org/forum/?utm_medium=email&utm_source=footer#!msg/blink-dev/LnqwTCiT9Gs/tO0IBO4PAwAJ panicker@, is my understanding correct?
,
Aug 9
Yes we are in the middle of disallowing sync xhr during beforeunload / unload. There is a 2s timeout -- the 20+s aspect is unexpected and sounds like a bug.
,
Aug 9
,
Aug 10
Able to reproduce the issue on reported chrome version 68.0.3440.84 and on the latest canary 70.0.3517.0 using Windows 10, Ubuntu 14.04 and Mac 10.13.1 As the issue is seen from M60(60.0.3112.0) considering it as Non-Regression and marking it as Untriaged. Note: Considered "a small time limit must be added (eg. 3-5 seconds), as if a large or non-existent resource is requested, the page will not close for up to 20 seconds which could cause major inconvenience for a user." statement for expected/actual behaviour with the help of test file provided in comment#0.
,
Aug 13
+panicker I think if you already have an issue for the removal you can dup against it. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by jialiul@chromium.org
, Aug 8Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug