www.sportsline.com has discovered an exploit that consistently circumvents Mozilla's popup blocker. It works by writing script to an iframe after the page has finished loading. Something like so: <iframe name="popup" src="about:blank"></iframe> <script> function createPopup() { var psrc = "<html><body><script>window.open('about:blank')<" + "/script></body></html>"; window.frames.popup.document.write(psrc); window.frames.popup.document.close(); } setTimeout(createPopup, 500); </script> Various alternatives also work (like loading the script externally, as the original site does), but this is the simplest. This exploit works every time, so I'm making it "confidential," though it's been noticed already.

Marking Security sensitive per Dnam's request.

Dnam? chuckle.

Yeah, Dnam :-) (duh)

*** Bug 253769 has been marked as a duplicate of this bug. ***

Clearing confidentiality flag, since evading the popup blocker is not a major security issue, and methods for such evasion are publically known already anyway.

I think this is a dup of bug 187255. The method used is exactly the same but called from a timeout handler instead of onload.

Certainly they're related. There are some subtle differences in timing. With any luck they won't affect the patch, but since timing is the problem, I'd like to keep them both open. (Besides the fact that "sportsline" is a popular bugzilla search right now.) The subtle difference in timing has to do with 187255's popup being created in an anonymous function defined in the <head>, and this bug's popup using a more straightforward delay. 187255 in fact doesn't work unless the function is anonymous. The difference has to do with when the body DOM is constructed and it's probably all the same thing as far as we're concerned here, but I'm not certain enough to declare this one a duplicate.

No, bug 187255 doesn't have anything to do with anonymous functions, it works with an onload attribute on the body tag as well. And the reason for a timeout here is to make sure that the code executes after the document has been loaded - the same thing is achieved more straightforward in bug 187255 by using the onload handler. The real reason why the popup blocker fails is that the code created by document.write() is executed asynchronously, thus out of the event handler context - here both bugs use exactly the same approach, so they are definitely duplicate. I wrote about it in bug 252326 comment 14 and simple blocking of all attemts to open a window without a current event in fact solves all the problems. But sure, this bug can be kept open because of sportsline in its title.

> No, bug 187255 doesn't have anything to do with anonymous functions The first testcase in the bug certainly does. And since the website named in the bug seems to no longer be opening popups, I'll go with the testcase. >the popup blocker fails [because] the code created by >document.write() is executed asynchronously As I said, it's probably the same thing as far as we're concerned. But the tricky timing issue makes it worth leaving both open, just to be certain. I repeat, the 187255 testcase does NOT work unless the function is anonymous -- try it. I've commented on your analysis in bug 252326. Anyway, this is a lot of noise for what appears to be agreement that this bug doesn't need to be closed.

*** Bug 256936 has been marked as a duplicate of this bug. ***

*** Bug 255320 has been marked as a duplicate of this bug. ***

This problem has been fixed by the patch in bug 252326.

*** Bug 259944 has been marked as a duplicate of this bug. ***