window.close and self.close do not close the window in Chrome

后端 未结 16 1839
孤城傲影
孤城傲影 2020-11-21 05:48

The issue is that when I invoke window.close() or self.close() it doesn\'t close the window. Now there seems to be a belief that in Chrome you can\

16条回答
  •  鱼传尺愫
    2020-11-21 06:13

    Ordinary javascript cannot close windows willy-nilly. This is a security feature, introduced a while ago, to stop various malicious exploits and annoyances.

    From the latest working spec for window.close():

    The close() method on Window objects should, if all the following conditions are met, close the browsing context A:

    • The corresponding browsing context A is script-closable.
    • The browsing context of the incumbent script is familiar with the browsing context A.
    • The browsing context of the incumbent script is allowed to navigate the browsing context A.

    A browsing context is script-closable if it is an auxiliary browsing context that was created by a script (as opposed to by an action of the user), or if it is a browsing context whose session history contains only one Document.

    This means, with one small exception, javascript must not be allowed to close a window that was not opened by that same javascript.

    Chrome allows that exception -- which it doesn't apply to userscripts -- however Firefox does not. The Firefox implementation flat out states:

    This method is only allowed to be called for windows that were opened by a script using the window.open method.


    If you try to use window.close from a Greasemonkey / Tampermonkey / userscript you will get:
    Firefox: The error message, "Scripts may not close windows that were not opened by script."
    Chrome: just silently fails.



    The long-term solution:

    The best way to deal with this is to make a Chrome extension and/or Firefox add-on instead. These can reliably close the current window.

    However, since the security risks, posed by window.close, are much less for a Greasemonkey/Tampermonkey script; Greasemonkey and Tampermonkey could reasonably provide this functionality in their API (essentially packaging the extension work for you).
    Consider making a feature request.



    The hacky workarounds:

    Chrome is currently was vulnerable to the "self redirection" exploit. So code like this used to work in general:

    open(location, '_self').close();
    

    This is buggy behavior, IMO, and is now (as of roughly April 2015) mostly blocked. It will still work from injected code only if the tab is freshly opened and has no pages in the browsing history. So it's only useful in a very small set of circumstances.

    However, a variation still works on Chrome (v43 & v44) plus Tampermonkey (v3.11 or later). Use an explicit @grant and plain window.close(). EG:

    // ==UserScript==
    // @name        window.close demo
    // @include     http://YOUR_SERVER.COM/YOUR_PATH/*
    // @grant       GM_addStyle
    // ==/UserScript==
    
    setTimeout (window.close, 5000);
    

    Thanks to zanetu for the update. Note that this will not work if there is only one tab open. It only closes additional tabs.


    Firefox is secure against that exploit. So, the only javascript way is to cripple the security settings, one browser at a time.

    You can open up about:config and set
    allow_scripts_to_close_windows to true.

    If your script is for personal use, go ahead and do that. If you ask anyone else to turn that setting on, they would be smart, and justified, to decline with prejudice.

    There currently is no equivalent setting for Chrome.

提交回复
热议问题