Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

prevent js alert spoofing attacks #2755

Closed
3 tasks done
diracdeltas opened this issue Jul 28, 2016 · 9 comments · Fixed by #7107
Closed
3 tasks done

prevent js alert spoofing attacks #2755

diracdeltas opened this issue Jul 28, 2016 · 9 comments · Fixed by #7107
Labels
QA/checked-Linux QA/checked-macOS QA/checked-Win32 QA/checked-Win64 QA/test-plan-specified release-notes/include security
Milestone
0.13.5

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Jul 28, 2016
edited by bsclifton
Loading

Test Plan

  1. Visit http://jsbin.com/fiyojusahu/edit?html,output
  2. In the output area, click the Click me to test an alert button
  3. Observe that the alert:
  • does not show the Brave logo
  • shows the domain it originated from
  • is only shown on this tab; you can switch tabs without a problem. There is no question which tab created this alert.
  1. Click OK to close alert
  2. Open http://jsbin.com/sadunogefu/edit?html,output in a new tab
  3. In the output area, click the Click me to test a confirm button
  4. Observe that the confirm:
  • does not show the Brave logo
  • shows the domain it originated from
  • is only shown on this tab; you can switch tabs without a problem. There is no question which tab created this confirm.
  1. Click cancel to close confirm

original issue text

if you open https://jsfiddle.net/s4oab7yn/ and then switch to another tab, the alert shows looks like it's coming from the currently-active tab instead of the tab it's actually from.

two mitigations:
@diracdeltas diracdeltas added this to the 1.1.0 milestone Oct 18, 2016
@diracdeltas diracdeltas mentioned this issue Oct 20, 2016
Closed
@Sh1d0w
Copy link

Sh1d0w commented Oct 21, 2016
edited
Loading

Can we do it like Chrome does it? When an alert or confirm is invoked in another tab, different from the current active one, the tab that triggered the alert becomes the active tab (without any user interaction needed)? I think this is the most clean way to do it, because some users still may get confused.

@bbondy
Copy link
Member

bbondy commented Oct 22, 2016

I much prefer what @diracdeltas mentioned with a button to switch to the tab. I find it very obnoxious and annoying that Chrome makes itself the active window and loses my current-tab-context.

@diracdeltas diracdeltas modified the milestones: 0.12.8dev, 1.1.0 Oct 24, 2016
@diracdeltas
Copy link
Member Author

@bridiver how involved do you think this will be WRT electron? wondering if it will be feasible for 0.12.8

@bbondy bbondy modified the milestones: 0.12.9dev, 0.12.8dev Oct 31, 2016
@BrendanEich
Copy link
Member

I recall Chrome puts a checkbox in the JS dialogs so users can stop them repeating from a given origin. Is that right? We could do worse!

@bridiver
Copy link
Collaborator

bridiver commented Nov 4, 2016
edited
Loading

I think the current plan is to generate the JS dialogs inside the brave ui instead of using the current OS dialogs and display them per-tab instead of window modal. Similar to Safari, but also adding the checkbox as @BrendanEich mentioned

@bridiver
Copy link
Collaborator

bridiver commented Nov 4, 2016

fyi - Safari won't even display the window.alert if you run it inside a setTimeout so you'll have to remove that if you want to compare Safari to Brave or Chrome

@bbondy bbondy modified the milestones: 0.12.10 release , 0.12.9dev Nov 8, 2016
@bbondy bbondy modified the milestones: 0.12.11, 0.12.10 release Nov 17, 2016
@cndouglas cndouglas mentioned this issue Nov 19, 2016
Closed
@bbondy bbondy modified the milestones: 0.13.1, 0.13.0 Nov 29, 2016
@cndouglas cndouglas mentioned this issue Dec 7, 2016
Closed
@cndouglas
Copy link

Related issue: #3794

@bbondy bbondy modified the milestones: 0.13.1, 0.13.2 Jan 1, 2017
@cndouglas cndouglas mentioned this issue Jan 28, 2017
Closed
@bsclifton bsclifton assigned bsclifton and unassigned bsclifton Feb 2, 2017
@bsclifton bsclifton added this to the 0.13.3 milestone Feb 6, 2017
@bsclifton bsclifton removed this from the 0.13.4 milestone Feb 6, 2017
@bsclifton bsclifton mentioned this issue Feb 6, 2017
Merged
4 tasks
@bsclifton bsclifton modified the milestones: 0.13.4, 0.13.3 Feb 10, 2017
@bsclifton
Copy link
Member

Moving to 0.13.4

This was referenced Feb 11, 2017
Closed
Closed
Closed
Closed
@alexwykoff alexwykoff mentioned this issue Feb 26, 2017
Closed
This was referenced Mar 1, 2017
Closed
Closed
Closed
Closed
@srirambv
Copy link
Collaborator

srirambv commented Mar 1, 2017

Verified on master. Works fine

This was referenced Mar 3, 2017
Closed
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
QA/checked-Linux QA/checked-macOS QA/checked-Win32 QA/checked-Win64 QA/test-plan-specified release-notes/include security
Projects
None yet
Milestone
0.13.5
Development

Successfully merging a pull request may close this issue.

Rework alert/confirm to be tab-modal (instead of application-modal)
9 participants
@bridiver @BrendanEich @diracdeltas @bbondy @alexwykoff @bsclifton @Sh1d0w @srirambv @cndouglas