[hackerone] window.close should be blocked unless the script also opened the tab

[bridiver]

Did you search for similar issues before submitting this one?
Yes

Describe the issue you encountered:
From https://hackerone.com/reports/176197
It is possible for a tab to close itself even if the tab was not opened by a script. In Chrome this is blocked with the message Scripts may close only the windows that were opened by it which is controlled by webkit DOMWindow.cpp DOMWindow::close.

Expected behavior:
window.close should only allow a tab to be closed if it was opened by the script

• Platform (Win7, 8, 10? macOS? Linux distro?):
  All
• Brave Version:
  0.12.5
• Steps to reproduce:
  1. Open a page with

<html>
<title>Brave Window Object Remote Denial of Service.</title>
<head></head>

<body><br><br>
<h1><center>Brave Window Object Remote Denial of Service</center></h1><br><br>
<h2><center>Proof of Concept</center></br></br> </h2>

<center>
<b>Click the below link to Trigger the Vulnerability..</b><br><br>
<hr></hr>

<hr></hr>
<b><center><a href="javascript:window.close(self);">Brave Window Object DoS Test POC</a></center>

</center>
</body>

</html>

[diracdeltas]

the PoC no longer works for me in the latest release. console shows the error

Scripts may close only the windows that were opened by it.

[diracdeltas]

closing because i can't find a way to get a window to close itself in the latest build or on master; please reopen if you can @bridiver

[diracdeltas]

test plan:

1. check that going to feedly and logging in closes the login window
2. go to http://web.mit.edu/zyan/Public/close.html, click the link and verify that the window does not close
3. click the button under the link and verify that it opens a window
4. click the link in the new window, verify that now it closes

[diracdeltas]

i got confused and reopened this because the PoC was successful if the link above was clicked to open in a new tab. but that seems like the intended behavior because it works the same in chrome.