Browser-laptop: prevent js alert spoofing attacks

Created on 28 Jul 2016  路  9Comments  路  Source: brave/browser-laptop

Test Plan

  1. Visit http://jsbin.com/fiyojusahu/edit?html,output
  2. In the output area, click the Click me to test an alert button
  3. Observe that the alert:
  4. does not show the Brave logo
  5. shows the domain it originated from
  6. is only shown on this tab; you can switch tabs without a problem. There is no question which tab created this alert.
  7. Click OK to close alert
  8. Open http://jsbin.com/sadunogefu/edit?html,output in a new tab
  9. In the output area, click the Click me to test a confirm button
  10. Observe that the confirm:
  11. does not show the Brave logo
  12. shows the domain it originated from
  13. is only shown on this tab; you can switch tabs without a problem. There is no question which tab created this confirm.
  14. Click cancel to close confirm

original issue text

if you open https://jsfiddle.net/s4oab7yn/ and then switch to another tab, the alert shows looks like it's coming from the currently-active tab instead of the tab it's actually from.

two mitigations:

Qchecked-Linux Qchecked-Win32 Qchecked-Win64 Qchecked-macOS Qtest-plan-specified release-noteinclude security
Source
picture diracdeltas

Most helpful comment

I think the current plan is to generate the JS dialogs inside the brave ui instead of using the current OS dialogs and display them per-tab instead of window modal. Similar to Safari, but also adding the checkbox as @BrendanEich mentioned

picture bridiver on 4 Nov 2016
👍31

All 9 comments

Can we do it like Chrome does it? When an alert or confirm is invoked in another tab, different from the current active one, the tab that triggered the alert becomes the active tab (without any user interaction needed)? I think this is the most clean way to do it, because some users still may get confused.

Sh1d0w picture Sh1d0w on 21 Oct 2016

I much prefer what @diracdeltas mentioned with a button to switch to the tab. I find it very obnoxious and annoying that Chrome makes itself the active window and loses my current-tab-context.

bbondy picture bbondy on 22 Oct 2016

@bridiver how involved do you think this will be WRT electron? wondering if it will be feasible for 0.12.8

diracdeltas picture diracdeltas on 29 Oct 2016

I recall Chrome puts a checkbox in the JS dialogs so users can stop them repeating from a given origin. Is that right? We could do worse!

BrendanEich picture BrendanEich on 4 Nov 2016

I think the current plan is to generate the JS dialogs inside the brave ui instead of using the current OS dialogs and display them per-tab instead of window modal. Similar to Safari, but also adding the checkbox as @BrendanEich mentioned

bridiver picture bridiver on 4 Nov 2016
👍31

fyi - Safari won't even display the window.alert if you run it inside a setTimeout so you'll have to remove that if you want to compare Safari to Brave or Chrome

bridiver picture bridiver on 4 Nov 2016

Related issue: #3794

cndouglas picture cndouglas on 7 Dec 2016

Moving to 0.13.4

bsclifton picture bsclifton on 10 Feb 2017

Verified on master. Works fine

srirambv picture srirambv on 1 Mar 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eljuno picture eljuno  路  3Comments
luixxiul picture luixxiul  路  3Comments
luixxiul picture luixxiul  路  3Comments
luixxiul picture luixxiul  路  3Comments
bbondy picture bbondy  路  3Comments