Take a look for yourself and come back, we won't go anywhere:
As the MSDN article says, adding a window.open() call in such a routine becomes a nightmare for the visitor as (s)he'll never manage to get away on his/her own. Pop-up blockers should -if all goes right- detect and prevent that one case. But it gets worse, how about "location = self.location;" ? Right, the visitor doesn't go away at all.
Is there anything new to this? Not as such, it's been known for years and was e.g. discussed in August of 2005 on full disclosure mailing lists.
One would assume open discussion of such a function where it's being labeled as potentially evil would cause security conscious developers to take note of such a dangerous function and severely limit it's possibilities, or better yet to get rid of it altogether.
Yet there seems to have been no such luck. Worse, there seems to have been renewed attention form those using the dark side as evidenced by these recent reactions:
MSIE 7: CVE-2007-1091 (mitre) or CVE-2007-1091 (nist)
Personally I've a hard time to see how supporting onUnload() matches with statements such as:
"Put safety first.I'm sure Firefox will have a "security is important" statement just as well, but I didn't find it yet.
Swa Frantzen -- NET2S
Feb 26th 2007
1 decade ago