The SANS ISC diary today is mentioning a javascript function present in today's browsers called onUnload(). What does it do?

The browser will execute it when the user is leaving that page. Very interesting feature, isn't it?

Well, not when you start looking with the eyes of security, as the post on the diary does. Those pop-up filled websites can prevent the user from leaving then just by executing a location=self.location when the onUnload is called. Incredibly simple and effective (at least for them). They can also pretend that the user is really leaving when it's actually not happening, giving room for a lot of phishing attacks.

This is a very good example of how a software feature can be seen when you put the Security Googles on. You need to do that every time when your developers are buiding new code. Do you have ayone thinking about the side effects of new features of your software?

A fnal remark about the onUnload() function is that it can, in fact, help on some security aspects. Just remember that almost no users leave a web application by clicking on the "Log Out" button/link. You can force the logout procedure by detecting the user leaving the website with the onUnload() function. At least a good thing for us.