No, the situation around this specification-wise hasn't really improved from three years ago unfortunately.
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1638610 Title: Dependency of JavaScript objects is Misconfigured Browser Crashes. Status in Mozilla Firefox: Confirmed Status in firefox package in Ubuntu: Confirmed Bug description: Hey Team , The bug i want to mention here is a denial of service attack that will not allow any kind of redirection on a page crafted by attacker where we have used hyper-links(ahref). The bug can be maliciously used by crafting an HTML file by an attacker and then sending it to the victim clearly showing there is a hyper-link that redirects to lets say (google.com) through status bar but it will not , instead cause denial of service , browser's also hang up and Crashes. I have tested it on the Very Latest Version of Ubuntu LTS Default Browser. Reason: The following script stops the page from being redirected: window.onbeforeunload = function(){ //Unredirectable Page setTimeout("window.location=document.location;",0); } Demo URL : http://hackies.in/Unredirect-Browsers-Test.html Actual results: It should redirect me to the new page , where as it don't redirect to a new page and the browsers Hangs up. Expected results: So dependency of JavaScript objects(window.document) on Href attribute should not be there. Attached POC for References To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1638610/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
