The example linked here is rather benign, since the content is just a Rickroll and the alert sequence, while very long, is not infinite. More malicious sites exist that use the same technique to lock the user into an infinite loop of alerts, while displaying shocking or disgusting content. The end result is that the user is forced to terminate the browser, making this issue almost equivalent to a crashing bug.
Suggestions on possible solutions:
- if a page displays a series of alerts (or prompt dialogs, etc), without returning non-modal control to the user for at least a few seconds between the alerts, display an additional "Terminate Script" button in the modal window starting with the third or fourth alert: if the user presses this button, terminate the script and kill all timers and unload handlers on the page; or just have a "Force Close Page" button instead. This is probably the easiest solution to discover and understand for users.
- Allow the user to close a page or tab by clicking the close box even if a modal window is open; if the user does so, display a warning dialog, and if it's confirmed, force-close the page, ignoring any further unload handlers. This way it's not necessary to add an extra button to alerts; however, users who get locked into a malicious page will probably not think of ignoring the alert and clicking the close box, and choose to force-quit the browser instead.
- Have the timer that display an alert when a script is taking too long to complete (I think Webkit has one, right?) keep counting even when a modal alert or dialog are being displayed. Basically, count all the time that the user is unable to leave the page, and if it exceeds the limit, display the "This script is taking a long time, do you want to terminate it?" dialog, above any existing alerts opened by the page.
*** This bug has been marked as a duplicate of 17560 ***