This repository was archived by the owner on Dec 11, 2019. It is now read-only.
This repository was archived by the owner on Dec 11, 2019. It is now read-only.
[hackerone] window.close should be blocked unless the script also opened the tab #5006
Closed
Description
Did you search for similar issues before submitting this one?
Yes
Describe the issue you encountered:
From https://hackerone.com/reports/176197
It is possible for a tab to close itself even if the tab was not opened by a script. In Chrome this is blocked with the message Scripts may close only the windows that were opened by it which is controlled by webkit DOMWindow.cpp DOMWindow::close.
Expected behavior:
window.close should only allow a tab to be closed if it was opened by the script
- Platform (Win7, 8, 10? macOS? Linux distro?):
All - Brave Version:
0.12.5 - Steps to reproduce:
- Open a page with
<html>
<title>Brave Window Object Remote Denial of Service.</title>
<head></head>
<body><br><br>
<h1><center>Brave Window Object Remote Denial of Service</center></h1><br><br>
<h2><center>Proof of Concept</center></br></br> </h2>
<center>
<b>Click the below link to Trigger the Vulnerability..</b><br><br>
<hr></hr>
<hr></hr>
<b><center><a href="javascript:window.close(self);">Brave Window Object DoS Test POC</a></center>
</center>
</body>
</html>