[Webkit-unassigned] [Bug 17859] New: Cannot leave Javascript trap without force-quitting the browser

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 14 18:04:43 PDT 2008 

http://bugs.webkit.org/show_bug.cgi?id=17859

           Summary: Cannot leave Javascript trap without force-quitting the
                    browser
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: Macintosh
               URL: http://rr.rezbit.com/
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P1
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: lacerchia at gmail.com


Websites can lock the user into an unescapable trap of alerts through malicious
use of JavaScript. For example, if you visit the URL associated with this bug
and attempt to close the page (use the keyboard shortcut if the window is
jumping around), an onbeforeunload handler displays an alert. Once you dismiss
it, it displays another. And another. And another. And so on. I couldn't find
any way to escape the trap, other than force-quitting the browser.

The example linked here is rather benign, since the content is just a Rickroll
and the alert sequence, while very long, is not infinite. More malicious sites
exist that use the same technique to lock the user into an infinite loop of
alerts, while displaying shocking or disgusting content. The end result is that
the user is forced to terminate the browser, making this issue almost
equivalent to a crashing bug.

Suggestions on possible solutions:

- if a page displays a series of alerts (or prompt dialogs, etc), without
returning non-modal control to the user for at least a few seconds between the
alerts, display an additional "Terminate Script" button in the modal window
starting with the third or fourth alert: if the user presses this button,
terminate the script and kill all timers and unload handlers on the page; or
just have a "Force Close Page" button instead. This is probably the easiest
solution to discover and understand for users.

- Allow the user to close a page or tab by clicking the close box even if a
modal window is open; if the user does so, display a warning dialog, and if
it's confirmed, force-close the page, ignoring any further unload handlers.
This way it's not necessary to add an extra button to alerts; however, users
who get locked into a malicious page will probably not think of ignoring the
alert and clicking the close box, and choose to force-quit the browser instead.

- Have the timer that display an alert when a script is taking too long to
complete (I think Webkit has one, right?) keep counting even when a modal alert
or dialog are being displayed. Basically, count all the time that the user is
unable to leave the page, and if it exceeds the limit, display the "This script
is taking a long time, do you want to terminate it?" dialog, above any existing
alerts opened by the page.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list