JS DoS

[jumde]

<script>
   while(true) {
     alert(1);
   }
</script>

Test Plan

• please see PR

[tmancey]

@jumde hi, you classified this issue as a bug, then removed bug. Can you please let me know if this is a bug or an enhancement as I am making sure all tickets are correctly labeled to help with reporting?

[jumde]

label bug sounds good.

[danishjafri88]

The app is susceptible to js DOS attack especially the window.alert attack. The alert shown blocks the entire screen.
For other bowsers following is the result:
FF: same as brave
Safari: custom alert component

Chrome: Blocking alert with option to suppress window.alert after multiple alerts are thrown

Possible solutions for this DOS attack is either of Chrome's or Safari's way.

[jamesmudgett]

@danishjafri88 We need a way to suppress, the Chrome flow works well.

[srirambv]

Verification passed on iPhone XR with iOS 13 running 1.12(19.09.04.23)

• Verified app doesn't hang when constant popups show up
• Verified selecting Ok or Cancel doesn't cause app to hang
• Verified Suppress notifications only affect for that particular session and doesn't show up again until the tab is closed and reopened

Verification PASSED on iPad Air 3rd Generation iOS 13.1 running 1.12 (19.09.10.18):

• Verified app doesn't hang when constant popups show up
• Verified selecting Ok or Cancel doesn't cause app to hang
• Verified Suppress notifications only affect for that particular session and doesn't show up again until the tab is closed and reopened

[kjozwiak]

@danishjafri88 quick question regarding this fix. Whenever you suppress the modal/dialog/alerts, the page becomes unresponsive. Example:

• open FIX #87: Option to suppress alerts on webpages. #770 in a new tab
• tap on https://dustiest-limitation.000webhostapp.com/alert.html
• suppress the alert and you'll notice that the page becomes unresponsive and appears as it's still attempting to load. Tapping on the X to stop the load doesn't do anything. You'll need to basically close the tab and re-open.

Is the above expected? Or should the page recover once you suppress the alerts?

[srirambv]

@kjozwiak that expected. More discussion on this here: https://bravesoftware.slack.com/archives/C06UXF3KJ/p1567691573119300

[srirambv]

Verification passed on iPhone 7+ with iOS 12.4.1 running 1.12(19.09.13.06)

• Verification passed on https://www.guyrutenberg.com/wp-content/uploads/2007/11/alertloop.html
• LInks from PR are not working so only verified on https://www.guyrutenberg.com/wp-content/uploads/2007/11/alertloop.html