Comment 0 for bug 1638610

Hey Team ,

The bug i want to mention here is a denial of service attack that will not allow any kind of redirection on a page crafted by attacker where we have used hyper-links(ahref).
The bug can be maliciously used by crafting an HTML file by an attacker and then sending it to the victim clearly showing there is a hyper-link that redirects to lets say (google.com) through status bar but it will not , instead cause denial of service , browser's also hang up and Crashes.
I have tested it on the Very Latest Version of Ubuntu LTS Default Browser.

Reason:
The following script stops the page from being redirected:
window.onbeforeunload = function(){
//Unredirectable Page
setTimeout("window.location=document.location;",0);
}

Demo URL : http://hackies.in/Unredirect-Browsers-Test.html

Actual results:

It should redirect me to the new page , where as it don't redirect to a new page and the browsers Hangs up.

Expected results:

So dependency of JavaScript objects(window.document) on Href attribute should not be there.
Attached POC for References