This repository has been archived by the owner on Dec 11, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 973
[hackerone] window.close should be blocked unless the script also opened the tab #5006
Milestone
Comments
diracdeltas
changed the title
window.close should be blocked unless the script also opened the tab
[hackerone] window.close should be blocked unless the script also opened the tab
Oct 24, 2016
the PoC no longer works for me in the latest release. console shows the error
|
closing because i can't find a way to get a window to close itself in the latest build or on master; please reopen if you can @bridiver |
test plan:
|
i got confused and reopened this because the PoC was successful if the link above was clicked to open in a new tab. but that seems like the intended behavior because it works the same in chrome. |
This was referenced Oct 26, 2016
This was referenced Oct 27, 2016
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Did you search for similar issues before submitting this one?
Yes
Describe the issue you encountered:
From https://hackerone.com/reports/176197
It is possible for a tab to close itself even if the tab was not opened by a script. In Chrome this is blocked with the message
Scripts may close only the windows that were opened by it
which is controlled by webkit DOMWindow.cppDOMWindow::close
.Expected behavior:
window.close should only allow a tab to be closed if it was opened by the script
All
0.12.5
The text was updated successfully, but these errors were encountered: