17859 – Cannot leave Javascript trap without force-quitting the browser

Bug 17859 - Cannot leave Javascript trap without force-quitting the browser

Summary: Cannot leave Javascript trap without force-quitting the browser

Status:	RESOLVED DUPLICATE of bug 17560

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.4

Importance:	P1 Normal
Assignee:	Nobody

URL:	http://rr.rezbit.com/
Keywords:

Depends on:
Blocks:

Reported:	2008-03-14 18:04 PDT by lacerchia
Modified:	2008-03-17 01:33 PDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description lacerchia 2008-03-14 18:04:43 PDT

Websites can lock the user into an unescapable trap of alerts through malicious use of JavaScript. For example, if you visit the URL associated with this bug and attempt to close the page (use the keyboard shortcut if the window is jumping around), an onbeforeunload handler displays an alert. Once you dismiss it, it displays another. And another. And another. And so on. I couldn't find any way to escape the trap, other than force-quitting the browser.

The example linked here is rather benign, since the content is just a Rickroll and the alert sequence, while very long, is not infinite. More malicious sites exist that use the same technique to lock the user into an infinite loop of alerts, while displaying shocking or disgusting content. The end result is that the user is forced to terminate the browser, making this issue almost equivalent to a crashing bug.

Suggestions on possible solutions:

- if a page displays a series of alerts (or prompt dialogs, etc), without returning non-modal control to the user for at least a few seconds between the alerts, display an additional "Terminate Script" button in the modal window starting with the third or fourth alert: if the user presses this button, terminate the script and kill all timers and unload handlers on the page; or just have a "Force Close Page" button instead. This is probably the easiest solution to discover and understand for users.

- Allow the user to close a page or tab by clicking the close box even if a modal window is open; if the user does so, display a warning dialog, and if it's confirmed, force-close the page, ignoring any further unload handlers. This way it's not necessary to add an extra button to alerts; however, users who get locked into a malicious page will probably not think of ignoring the alert and clicking the close box, and choose to force-quit the browser instead.

- Have the timer that display an alert when a script is taking too long to complete (I think Webkit has one, right?) keep counting even when a modal alert or dialog are being displayed. Basically, count all the time that the user is unable to leave the page, and if it exceeds the limit, display the "This script is taking a long time, do you want to terminate it?" dialog, above any existing alerts opened by the page.

Comment 1 Alexey Proskuryakov 2008-03-17 01:33:36 PDT


*** This bug has been marked as a duplicate of 17560 ***