62310 2011-06-08 12:53:42 -0700 www.uniteful.com/39 closes itself when opened from a link on Twitter 2011-06-08 15:37:55 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) Unspecified Unspecified NEW P2 Normal --- 1 doug webkit-unassigned abarth ap dbates eric inferno rniwa tonyg oldest_to_newest 417430 0 doug 2011-06-08 12:53:42 -0700 This is supposedly: Google Chrome 11.0.696.77 (Official Build 87952) WebKit 534.24 417435 1 doug 2011-06-08 12:57:27 -0700 Clicks on a link on a tweet via twitter's page cause the referred-to page to come up in a new tab, then immediately close. I can tweet out http://www.uniteful.com/35 and the link will appear in my stream. Upon clicking, the link comes up very quickly in a new tab. Then, that same tab closes after less than 100ms or so. This behavior happens in Chrome on both OSX and Windows, and also Safari. It doesn't happen in Firefox, IE7 (Win), or Opera (10.6 for Win, 11.11 for OSX). If I turn off Javascript in Safari, the behavior stops. But I can't seem to track down what bit of JS might be responsible for this. 417490 2 dbates 2011-06-08 14:03:04 -0700 From briefly debugging the issue, window.close() is being called in the .ready() handler (http://api.jquery.com/ready/) in <http://www.uniteful.com/javascripts/application.js> when the script detects that the window was opened from another window. 417506 3 rniwa 2011-06-08 14:13:05 -0700 Some investigation on Firebug tells me that Firefox's origin policy prohibits reload: Permission denied to access property 'reload' [Break On This Error] window.opener.location.reload(true); So maybe that's what we need to do. 417515 4 abarth 2011-06-08 14:16:42 -0700 Interesting. Yeah, I don't think we have security checks on reload. Maybe we should. 417523 5 rniwa 2011-06-08 14:19:21 -0700 (In reply to comment #4) > Interesting. Yeah, I don't think we have security checks on reload. Maybe we should. I think we should. You can trigger a replay attack if websites aren't careful about URL they open. 417538 6 doug 2011-06-08 14:28:44 -0700 Fine catch from dbates on the misplaced popup-closing code in the ready function. I've taken that out of the www.uniteful.com code, but here's the original offending bit for reference: <script src="/javascripts/jquery-1.4.2.min.js" type="text/javascript"></script> (function($){ $(document).ready(function(){ // ... if(window.opener) { window.opener.location.reload(true); window.close() } }); })(jQuery); 417552 7 inferno 2011-06-08 14:41:54 -0700 Adam, do you think it is a security bug ? 417562 8 abarth 2011-06-08 14:47:25 -0700 > Adam, do you think it is a security bug ? Nope. 417579 9 doug 2011-06-08 15:05:51 -0700 I've put the original broken page back up for ease-of-repro along with a link to a version without that document.close in the document.ready handler: http://webkit.con.com/linking.html 417595 10 rniwa 2011-06-08 15:24:05 -0700 I tried to create a http test but I don't know how I can emulate opening a link by a mouse click. 417611 11 ap 2011-06-08 15:35:13 -0700 > window.opener.location.reload(true); > window.close() Even though Firefox bails out with an assertion on reload() in this particular example, wouldn't it have prevented close(), if reached? I think that Firefox rarely allows programmatic close(). > I tried to create a http test but I don't know how I can emulate opening a link by a mouse click. You can use EventSender if it's important to simulate mouse click. 417615 12 rniwa 2011-06-08 15:37:55 -0700 (In reply to comment #11) > > I tried to create a http test but I don't know how I can emulate opening a link by a mouse click. > > You can use EventSender if it's important to simulate mouse click. I tried but the target was never loaded. I don't know what I did wrong :(