Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Google Chrome Chromium IT Technology

Google Plans To Alter JavaScript Popups After Abuse From Tech Support Scammers (bleepingcomputer.com) 118

An anonymous reader writes: Chromium engineers are discussing plans to change how JavaScript popups work inside Chrome and other similar browsers. In a proposal published on the Google Developers portal, the Chromium team acknowledged that JavaScript popups are consistently used to harm users.

To combat this threat, Google engineers say they plan to make JavaScript modals, like the alert(), confirm(), and dialog() methods, only work on a per-tab basis, and not per-window. This change means that popups won't block users from switching and closing the tab, putting an end to any overly-aggresive tactics on the part of the website's owner(s).

There is no timeline on Google's decision to move JavaScript popups to a per-tab model, but Chromium engineers have been debating this issue since July 2016 as part of Project OldSpice. A similar change was made to Safari 9.1, released this week. Apple's decision came after crooks used a bug in Safari to block users on malicious pages using popups. Crooks then tried to extort payment, posing as ransomware.

This discussion has been archived. No new comments can be posted.

Google Plans To Alter JavaScript Popups After Abuse From Tech Support Scammers

Comments Filter:
  • Oh well (Score:5, Informative)

    by Anonymous Coward on Thursday March 30, 2017 @03:22PM (#54145683)

    Took you fucking long enough!

    • Amen.
  • by squiggleslash ( 241428 ) on Thursday March 30, 2017 @03:31PM (#54145769) Homepage Journal
    Seriously, this has been a problem since Netscape first implemented alert(). Why has it taken this long for someone to fix it?
    • by Anonymous Coward on Thursday March 30, 2017 @03:34PM (#54145795)

      But Firefox fixed this years ago. All of the alerts are bound to the tab and not the window.

      • by AmiMoJo ( 196126 )

        A better fix would just be to disable the damn thing. I can't think of a single time I've found a javascript pop-up useful.

        • by Gr8Apes ( 679165 )

          A better fix would just be to disable the damn thing. I can't think of a single time I've found a javascript pop-up useful.

          Oh, all the time, especially when I'm in development.

          • by Anonymous Coward

            Use console.log

        • They are useful for confirming actions, especially delete functions of things. It's not often I use them on a public facing site, though. When it comes to the Administration of the site, I use them frequently.

          With that said, I've moved most of my projects to an inline modal (constructed inside of the page using HTML/CSS/JS). Way more flexibility, and less user annoyance.

      • Since I just disabled all pop-ups entirely. Occasionally I have to turn it on for a banking site and the very rare shopping site. But defaulting it to disabled and enabling it only when needed seems a much more sensible approach than defaulting it to enabled and disabling it on a case-by-case basis.
      • That's easy for them when their entire UI is XUL and basically just HTML/JS already.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Firefox fixed this in early 2011. It's Chrome that's lagging behind in this case.

    • Not sure when but in Safari Javascript popups come un in the tab, that you can switch away from.

    • Just get rid of alert() and make America great again. Or make the Internet great again.
      • by slazzy ( 864185 )
        I'd say rather than getting rid of alert, change the way the browser displays the alert to a user. Maybe instead a small bar at the bottom of the page that doesn't interfere with anything would be a better standard way of displaying a message without blocking user interaction.
    • Opera's had a "Disable scripts on this page" button in the alert boxes for as long as I can remember.

  • I've found that i can right click on a tab to close it when it's been hijacked by models.

    • by Stavr0 ( 35032 )

      I've found that i can right click on a tab to close it when it's been hijacked by models.

      Is that the one where one goes down on you while the other steals your wallet? Because I already heard that one.

      • I've found that i can right click on a tab to close it when it's been hijacked by models.

        Is that the one where one goes down on you while the other steals your wallet? Because I already heard that one.

        That happened this morning. It felt good until it was really bad.

  • by Anonymous Coward
    Why the fuck were pop-ups seizing control of the entire fucking browser in the first place?
    • by DaHat ( 247651 )

      Isn't that the point of modal dialogs/windows?

      • by Anonymous Coward

        Yes. The question stands: why the fuck was this behavior ever supported in the first place?

        • by cfalcon ( 779563 )

          > why the fuck was this behavior ever supported in the first place?

          You know exactly why this behavior was desired, and it was never in the interest of the user.

    • by Scoth ( 879800 )

      Likely because it dates back to the pre-tab era when you just had one window in the first place. Once tabs became a thing, the paradigm was never updated. Hopefully they get this in there quick.

  • by swb ( 14022 ) on Thursday March 30, 2017 @03:37PM (#54145817)

    Like the originating URL, submission URL or some general flag that says the pop up is generated by a site, and not the browser.

    • I think these modal dialog boxes are always generated by sites, not the browser. You shouldn't need more info, because they should only be shown while you're on the relevant tab (Firefox does this now; it used to force-switch to the tab whenever a modal was generated).

  • Making the alert, confirm and dialog models tab based seems like a reasonable restriction while still allowing HTML5 apps which will probably use these models for not nefarious purposes. Anything more may be an inconvenience for HTML5 web app authors - but not a roadblock to scammers.

    I'm looking at it from the perspective of having done a Google extension which required these models; while being available in the browser using Javascript, they're not available to extensions. As extensions go away and move

  • It's the most common type of call I get now. I support over 1,000 users at various companies around my city and most are using application whitelisting and don't know their own admin passwords, so it's pretty much impossible for them to execute a real virus, the these javascript tricks are scaring them left and right. I get a call almost every day over it. They are so upset they can't settle down long enough for me to tell them "restart windows". When they finally listen to me and restart windows, they
    • It sounds more like a problem with your users being drooling idiots.

      • It sounds more like a problem with your users being drooling idiots.

        It's like they say: you can pick your friends, but you can't pick your users. Can't live with them, can't kill them.

        • For chrissakes, most users are drooling idiots. Pretty much every application, but in particular every application that connects to the Internet, has to take into account that the odds are fairly good that the person sitting in front of the keyboard is a drooling idiot.

      • by Kjella ( 173770 )

        It sounds more like a problem with your users being drooling idiots.

        Well I've run into some of these that manage to

        a) create a pop-up window that covers almost the whole screen without the usual navigation
        b) throw the modal dialog in an infinite loop, you must check that little "stop creating dialogs" box to escape
        c) use a reload/redirect trigger/timer so you get sent to a new page with a new dialog if you break the b) loop

        It's fucking annoying and I could very well understand a clueless user thinking he's been hacked. I've not managed to find any way out of the most annoyi

  • As far as I'm concerned browser devs are a bunch of cunts for allowing this shit in the first place and they all should be kicked square in the ass with razor studded boots for not fixing it sooner.

  • Oh, you mean like Firefox has been doing for YEARS? You mean as detailed in bug number FOUR HUNDRED AND FIFTY SIX [chromium.org] out of 707,000 bugs filed so far in the Chromium bug tracker?
  • It's about time they made alert() dialogs tab-modal instead of window-modal. This is not so much news, as poor UX that should have been corrected long ago.
  • ... Google will realize scammers are abusing float boxes.
  • Opera Presto (that is, versions 12.x and earlier) had this years ago.
  • Popups, boxes that follow you around the page as you scroll, sound that over-rides or ignores any browser mute functionality, allowing the close, ok, and cancel buttons to be remapped to anything else than the stated functionality (usually these get remapped to load malware or redirect to another site that loads more unwanted scripts/tabs), forced reload timers, right-click disabling, cascading tab loads, tab locks, automated non-default application launch, automated and silent extension/plugin installation

If I had only known, I would have been a locksmith. -- Albert Einstein

Working...