Closed
Bug 251793
Opened 21 years ago
Closed 12 years ago
Java applets bypass "Block Pop-Up Windows"
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: technogeek, Unassigned)
References
()
Details
Attachments
(3 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
It is possible to bypass Firefox's protection against pop-up windows via a Java
applet, as the demonstrating URL indicates.
Reproducible: Always
Steps to Reproduce:
1. Make sure Java is enabled.
2. Go to the site.
Actual Results:
Hundreds of pop-ups, followed by Firefox crashing.
Expected Results:
No pop-ups. Since, you know, I have them turned off.
Updated•21 years ago
|
Summary: Java appliets bypass "Block Pop-Up Windows" → Java applets bypass "Block Pop-Up Windows"
Comment 1•20 years ago
|
||
confirming, this occurs for me when using 2004-07-27 (firefox, aviary1.0 branch)
bits on linux fedora core 1 and mac 10.3.4. would this be feasible to fix (ie,
block unwanted popups issued via Java)?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•20 years ago
|
OS: Windows XP → All
Hardware: PC → All
Probably the exact same thing as bug 176079. I'll mark this bug dependent for now.
Depends on: BlockFlashPopup
Updated•20 years ago
|
Blocks: pop-up-arms-race
Comment 3•20 years ago
|
||
No, these bugs are not dependent. Here we have normal Java windows, not Mozilla
windows. I think, this problem has to be be solved (if at all) by means of
Java's SecurityManager - in the plugin itself.
No longer depends on: BlockFlashPopup
Comment 4•20 years ago
|
||
This is a valid bug. I just wanted to mention that stopping Java opening popup
windows altogether would seriously impact sites (mainly intranets) that use
real-work Java applets. These often have quite complex UI including popup
dialogs. So I hope nobody would be tempted to implement that hack. :)
If a change is implemented, suggest making it stop Java opening popups in a
similar manner to the HTML technique i.e. Java applets can open popups as much
as they like once somebody has clicked on or focused the applet. This would
prevent malicious applets opening popups onload. I suspect this would be
difficult to implement without co-ordination with the Java 1.5 developers, but I
don't know...
IMO it is more a duplicate as an dependency. Bug 150340 is for plugins in general.
Depends on: 150340
Comment 6•20 years ago
|
||
fyi: the demo from "URL" field (http://66.195.18.30/5000000fucks.html) is now 404 :(
Comment 7•20 years ago
|
||
When opening a map from map24.de inside a tab, a java applet is loaded. This
applet is also displayed within other tabs when one scrolls them, and the tab
receives at least mouse events. Because this applet doesn't have window
borders, one cannot distinguish it easily form the other tab's contents. I fear
that this can be used for "bad things".
Version:
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; de-DE; rv:1.7.5) Gecko/20041122
Firefox/1.0
Comment 8•20 years ago
|
||
(In reply to comment #7)
What you describe is a bug of course but it has nothing to do with the issue
discussed here. Please use the search to find a bug dealing with your problem,
I'm pretty sure there is one already.
Updated•20 years ago
|
Attachment #176270 -
Attachment is obsolete: true
Comment 9•19 years ago
|
||
Was this fixed with bug 176079 /
http://weblogs.mozillazine.org/jst/archives/2005/06/killing_more_po.html?
Comment 10•19 years ago
|
||
No, these is a very different issue. As already noted in comment 3, the demo was
demonstrating an Java applet opening Java windows, not browser windows. This can
only be solved by adjusting the security policy of the applet. The demo is gone,
I'm attaching another applet demonstrating the same thing.
Comment 11•19 years ago
|
||
Comment 12•19 years ago
|
||
Enter some number into the input field and click "Open" - the applet will open
the required number of windows.
Comment 13•19 years ago
|
||
Updated•18 years ago
|
Assignee: bross2 → nobody
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•