Windows that haven't been opened by script can't be closed using window.close(). However, calling |window.open("", "_self")| causes the existing window to be treated as if it's been opened by script, since in DOMWindow::createWindow we call |newFrame->page()->setOpenedByDOM();| without checking if this is really a newly-created frame. This means that script can trivially workaround the restriction on window.close() by instead calling: window.open("", "_self").close() Neither Blink nor Gecko allows scripts to close windows this way.
Created attachment 353388 [details] Patch
Comment on attachment 353388 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=353388&action=review r=me > LayoutTests/fast/dom/Window/window-open-self-disallow-close.html:5 > + <div id="log"></div> Is this really needed?
Created attachment 353396 [details] Patch for landing
(In reply to Chris Dumez from comment #2) > Comment on attachment 353388 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=353388&action=review > > r=me > > > LayoutTests/fast/dom/Window/window-open-self-disallow-close.html:5 > > + <div id="log"></div> > > Is this really needed? Not needed, removed now.
Comment on attachment 353396 [details] Patch for landing Clearing flags on attachment: 353396 Committed r237598: <https://trac.webkit.org/changeset/237598>
All reviewed patches have been landed. Closing bug.
<rdar://problem/45677825>