Why are JavaScript alerts still capable of blocking browser activity?
“I’m going to screw with your computer. OK?”
I have never understood why JavaScript is allowed to completely block any further user interaction. The correct options that a browser should display when throwing up an alert box are “Okay” and “Never run Javascript on this page/site again.” And they should not block the entire browser in any case—as I write this, Safari and Chrome still allow alerts to block all windows1. In the modern world of tabs and multiple windows, letting a single web page block other web pages is a throwback to the stone age.
Click here for a non-binding example. The machine should call you an asshole, and there’s nothing for you to do except agree. That’s unacceptable.
Click here for an example that will lock up some browsers (save your work first!). Once you kill your browser and restart, realize that I didn’t have to give you the option of choosing that behavior: I could have forced it on you as soon as you visited the page. That’s ridiculously unacceptable.
I’m not the first to ask this question. Veeti Paananen asked it at the beginning of 2009. Raymond Camden asked it in 2007, and in the comments people wondered how it could be a security issue.
This was before the MacDefender trojan that infected web advertising servers and image searches several months ago. Part of the reason MacDefender worked is that it couldn’t be ignored. People who are confused about what action to take are perfectly happy to ignore a problem until it goes away; the alert box took that option away from them. The JavaScript alert meant that they couldn’t ignore it until it went away. It was a social engineering attack to get victims to run the downloaded trojan, and it apparently was pretty successful.
Safari is the worst of all of the browsers I tested writing this: alerts will block all windows, windows can’t be closed, and it will never offer the option of canceling the script. I can’t open new windows or tabs, and am stuck until I decide how to deal with the offending alert. That all helped MacDefender get its job done.
Opera lets you stop suspicious alerts immediately.
Firefox will present a checkbox to block all further alerts on this page if I hit the “Okay” button ten times, but by then the social engineering attack has already done its job. That checkbox needs to be there on the very first alert, to let people know that this alert is not official, but is rather an untrusted message from an untrusted source. On the plus side, Firefox allows me to close the blocked window without touching the alert box.2
Chrome puts the checkbox on the second alert, rather than the tenth; that’s still too late. To be effective, that checkbox needs to be there on the very first alert. MacDefender didn’t need a second alert to do its job; all it needed was to get the victim to say “OK” once to let their guard down or resign them to doing whatever they thought it was doing. Chrome does not allow closing the tab/window while the alert is there.
Opera is the only one of the four that works correctly. It puts the checkbox for blocking further JavaScript3 on the first alert, and it makes it clear that the alert is not something from the browser but from outside. Opera’s alerts don’t block anything except the current page. The current page can even be closed without touching the alert box.
Of course, MacDefender also made use of the auto-download feature that is still available in most browsers. If you’ve ever been on a page that says “your download will begin in x seconds”, and the download does, in fact, begin, then your browser is also susceptible to this.
For testing, I used Safari 5.1, Firefox 7.0.1, Chrome 14.0.835.186, and Opera 11.51, all for Mac OS X 10.6.8. Except for Mac OS X, these were the latest versions available when I wrote this, and these were the top four browsers for Mac OS X when I wrote this.
- April 1, 2016: Safari 9.1 frees your browser from JavaScript lockup
-
This is not an April Fools’ post. I got mine in early. From my testing using the links in the parent post, Safari no longer blocks closing a tab or window when it displays a JavaScript alert as of at least Safari 9.1. Close Window and Close Tab are available from the File menu, and the close button is available on both the browser window and the tab in the browser window.
Further, they’ve changed the appearance of the JavaScript alert to look like it comes from the web page rather than from the browser or operating system; that is, JavaScript alerts no longer look like they’re official.
They’ve removed the checkbox to no longer show alerts that used to show up on the second iteration of the alert.
- July 12, 2015: Safari 8.0.7 can block endless alerts
-
I just ran some software updates last week, and reading the latest Software Update notes, I noticed:
Fixes an issue where a website could prevent the user from navigating away by presenting repeated JavaScript alerts in Safari.
After doing the update, I went to the parent page and hit the deadly link. Sure enough, on the second iteration Safari added a checkbox to the alert:
Don’t show more alerts from this webpage
Checking that box makes the alerts go away.
Testing what it’s doing under the hood is difficult, as checking that box also seems to block reloading the page. I’m not sure that’s a bad thing.
It appears to disable any JavaScript on the page. I can’t even go to the URL bar and get an alert from:
- javascript:alert("Hello");
Again, I think that’s a good thing. If the page has potentially malicious JavaScript, block it all.
JavaScript that doesn’t involve alerts also fails from the URL bar:
- javascript:headlines=document.getElementsByTagName("h1");headline=headlines[0];headline.innerHTML="Hello, World";
So it looks like “Don’t show more alerts” means “stop executing scripts on this page”. The Error Console doesn’t show any errors; the script simply doesn’t execute.
Firefox allows the alert to block the current window/tab, but continues to allow creation of new windows and tabs. Chrome allows the creation of new windows and tabs if you realize that you can click on the underlying page (if all you do is look at the file menu, Chrome’s New Window/New Tab options are greyed out), but the alert remains on top of all new pages and blocks some page functions in the new pages.
↑I didn’t originally think about that until halfway through writing this article, but that’s probably because of years of conditioning; people not used to previous versions of Firefox and Netscape and other browsers might not have the preconception that windows with alerts can’t be closed.
↑Its wording for blocking is misleading: it says “Stop executing scripts on this page”. But as far as I can tell, it only stops executing the current script. Other JavaScripts on the page will continue to trigger.
↑
- Alert can still lock browsers - why?: Raymond Camden
- “So while this typically only happens to poor developers who do it to themselves (as I did a few days ago), why haven’t the browser makers done anything about this? Is it really something that only affects us doing development?”
- Apple scareware: gang targets users with Mac Defender: Charles Arthur
- “The Guardian has discovered it has been spread through advertising networks on newspapers including the Washington Post and by "poisoned" searches in Google Images.”
- Auto-run + auto-download = automatic viruses
- Automatic downloads combined with automatic opening makes a fertile ground for worms to grow. Operating systems should never assume that anything that comes from the outside is safe.
- Break out of infinite alert() popups!: Howard Yeend at puremango.co.uk
- “Damn! Now you have to sit there and press OK a bajillion times, or restart the browser—which is a pain because you’ll lose all your tabs, and more importantly you’ll lose your concentration while you load everything up again.”
- Opera
- “The most full-featured Internet power tool on the market, Opera includes pop-up blocking, tabbed browsing, integrated searches, and advanced functions like Opera’s groundbreaking E-mail program, RSS Newsfeeds and IRC chat.”
- Stephen King cameo in Maximum Overdrive
- From the movie “Maximum Overdrive”, “This machine called me an asshole.”
Remember: Trump reassures crowd after assassination attempt fails. (read more…)
Yeah, it's annoying in any context to have modal dialogs, making the parent inaccessible, although for desktop applications it might, sometimes, be excusable.
Until browsers change, Firefox does at least have addons that can help protect you from the dark side of this. NoScript is a prime example: scripts run only after you allow them to. It can initially seem unusable, but you can build up a whitelist of your usual sites within days, so most of the time it won't be a big problem.
Thrawn at 11:23 p.m. October 12th, 2011
6TJ3t