[Webkit-unassigned] [Bug 118871] New: Pages should not be able to abuse users inside beforeunload handlers

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 18 16:40:21 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=118871

           Summary: Pages should not be able to abuse users inside
                    beforeunload handlers
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: beidson at apple.com
                CC: mjs at apple.com, ap at webkit.org, sam at webkit.org,
                    ggaren at apple.com


Pages should not be able to abuse users inside beforeunload handlers.

Abusive techniques include showing various forms of modal dialogs inside beforeunload and using iframes.

Some other browsers don't allow modal dialogs inside beforeunload (like alert, confirm, prompt, showModalDialog), and I think WebKit shouldn't by default.

Also, if multiple iframes all try to display a beforeunload confirmation dialog, that seems like spam - Only one should be allowed to be shown.

Finally, iframes from different origins probably shouldn't be allowed to show even one beforeunload confirmation.

This is in radar as <rdar://problem/14475779>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list