Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: multiple web browsers, multiple bugs - onUnload and location.href
From: Peter Besenbruch <prb () lava net>
Date: Thu, 22 Jul 2004 07:52:11 -1000

Rudolf Polzer wrote:
...Try http://www.informatik.uni-frankfurt.de/~polzer/rbiclan/location

The page is SUPPOSED to prevent going to somewhere else by changing
the URL back in onUnload (even that is already a reason to disable

The interesting part is: depending on browser, you see different bugs...

Mozilla, Netscape 7 or Firefox: almost works correctly. Except for two
small bugs: View source shows the source of Google or where you TRIED
to go to, while you SEE the unload-trap page. The other bug: when you
close the browser window, onUnload is executed TWICE (you see two
alert boxes, with the number increasing) and the new page is loaded,
but not displayed. But the view-source bug somehow looks suspicious.
Do other parts of Mozilla think it was another website too?

I ran Firefox 0.8 for Linux on KDE, and enabled all Javascript capabilities in my options for this test. I also run with the Tabbrowser Extensions set to open all clicked links in a new tab. I ran into what you described, with the exception that viewing the source of the original page and the links worked fine. The other links also opened properly in new tabs, with no alerts. One of the features of the Tabbrowser Extension that I appreciate is the ability to surf with Javascript disabled, but with the ability to activate it via a double click for those Web sites that need it.

Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]