2

If a user clicks refresh or does f5 or refreshes by tab left click/reload then it is an intentional action!

Can a hacker inject a script maybe in an image src (but not to be too specific;) or anywhere else on the page, that forces a reload/redirect?

If so, is there something in the onbeforeunload event that will tell me that this was triggered by code?

WOW

window.onunload=function(e){console.dir(e);}
location.reload();
Event
Navigated to https://www.google.com/webhp?hl=en

Proof that Kaii is correct! I wonder why browser venders don't make an object of this event - to at least check if a refresh was user intention???

Community
  • 1
  • 1
Ben Muircroft
  • 2,936
  • 8
  • 39
  • 66
  • Possible duplicate of https://stackoverflow.com/questions/291553/is-there-a-way-in-javascript-to-detect-if-the-unload-event-is-caused-via-a-refre – Maximillian Laumeister Aug 16 '15 at 20:20
  • not really dude, I vaguely remember doing code a while back where the browser (I think it was chrome) knew that I was jquery triggering a button rather than clicking it. – Ben Muircroft Aug 16 '15 at 20:24

1 Answers1

4

Can a hacker inject a script maybe in an image src (but not to be too specific;) or anywhere else on the page, that forces a reload/redirect?

Yes, i.e.:

<script>window.location = window.location;</script>

If so, is there something in the onbeforeunload event that will tell me that this was triggered by code?

No. The event object observable during onbeforeunload() does not contain any trace of information about the cause of unloading.

Kaii
  • 20,122
  • 3
  • 38
  • 60
  • Thanks! Your last sentence is only one word long so have to ask you how do you know that you are correct? (you are stating a fact) have you console.dir(event) ? if so how? I would like to do this – Ben Muircroft Aug 16 '15 at 20:41
  • 1
    @BenMuircroft in the firebug console there is a "persist" button, so the console isn't cleared on page reload. issue `window.onbeforeunload = function (evt) { console.log(evt); };` directly followed by `window.location = window.location;` to inspect the event properties. – Kaii Aug 16 '15 at 21:10
  • Dude, I just tested +1 updated my question because I can't understand why browser vendors would leave such a security hole!? – Ben Muircroft Aug 17 '15 at 00:36