Skip to content
This repository was archived by the owner on Dec 11, 2019. It is now read-only.
This repository was archived by the owner on Dec 11, 2019. It is now read-only.

[hackerone] window.close should be blocked unless the script also opened the tab #5006

Closed
@bridiver

Description

@bridiver

Did you search for similar issues before submitting this one?
Yes

Describe the issue you encountered:
From https://hackerone.com/reports/176197
It is possible for a tab to close itself even if the tab was not opened by a script. In Chrome this is blocked with the message Scripts may close only the windows that were opened by it which is controlled by webkit DOMWindow.cpp DOMWindow::close.

Expected behavior:
window.close should only allow a tab to be closed if it was opened by the script

  • Platform (Win7, 8, 10? macOS? Linux distro?):
    All
  • Brave Version:
    0.12.5
  • Steps to reproduce:
    1. Open a page with
<html>
<title>Brave Window Object Remote Denial of Service.</title>
<head></head>

<body><br><br>
<h1><center>Brave Window Object Remote Denial of Service</center></h1><br><br>
<h2><center>Proof of Concept</center></br></br> </h2>

<center>
<b>Click the below link to Trigger the Vulnerability..</b><br><br>
<hr></hr>

<hr></hr>
<b><center><a href="javascript:window.close(self);">Brave Window Object DoS Test POC</a></center>

</center>
</body>

</html>

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions