NEW 11522
In the WebUIDelegate protocol, allow JavaScript alert panels to be sheets so that JavaScript cannot hijack your application 
https://bugs.webkit.org/show_bug.cgi?id=11522
Summary In the WebUIDelegate protocol, allow JavaScript alert panels to be sheets so ...
Alexandre
Reported 2006-11-05 08:54:33 PST
Replace the following three WebUIDelegate protocol methods with versions which use a listener to indicate the result of user interaction (like the related WebUIDelegate protocol method webView:runOpenPanelForFileButtonWithResultListener: does) instead of a return value: webView:runJavaScriptAlertPanelWithMessage: webView:runJavaScriptConfirmPanelWithMessage: webView:runJavaScriptTextInputPanelWithPrompt:defaultText: This would allow the JavaScript alert, confirmation, and text input panels to be implemented as sheets rather than modal dialogs. Firefox, for example, implements JavaScript alerts as sheets rather than modal dialogs, which I think is more sensible and has several advantages over Safari's implementation. With the current WebUIDelegate protocol, when a modal dialog is used for JavaScript alerts, malicious (or buggy) JavaScript can hijack your entire application by programmatically spewing forth an endlesss sequence of alert boxes, not even allowing you the opportunity to quit your application.
Attachments
Add attachment proposed patch, testcase, etc.
Alexandre
Comment 1 2006-11-05 11:30:33 PST
Sorry for posting again, but I found a little bit of information I missed before. It seems that there are already plans to deprecate the three methods I mentioned in favour of replacements, as noted here: http://www.opendarwin.org/pipermail/webkit-changes/2005-November/001409.html Perhaps their replacements can be changed to work more like webView:runOpenPanelForFileButtonWithResultListener: (by using a listener instead of a return value)? I find it highly undesirable that an application that uses a WebView can be completely taken over by that WebView, even if the WebView is only used as a very minor part of the application.
mitz
Comment 2 2017-06-16 22:25:44 PDT
This is resolved in the Modern WebKit API, where the equivalent WKUIDelegate methods all pass the delegate a completion handler.
mitz
Comment 3 2017-06-16 22:25:44 PDT
This is resolved in the Modern WebKit API, where the equivalent WKUIDelegate methods all pass the delegate a completion handler.
Note You need to log in before you can comment on or make changes to this bug.