Mimsy Were the Borogoves

Mimsy Were the Technocrats: As long as we keep talking about it, it’s technology.

Why are JavaScript alerts still capable of blocking browser activity?

Jerry Stratton, October 3, 2011

MacDefender Alert box

“I’m going to screw with your computer. OK?”

I have never understood why JavaScript is allowed to completely block any further user interaction. The correct options that a browser should display when throwing up an alert box are “Okay” and “Never run Javascript on this page/site again.” And they should not block the entire browser in any case—as I write this, Safari and Chrome still allow alerts to block all windows1. In the modern world of tabs and multiple windows, letting a single web page block other web pages is a throwback to the stone age.

Click here for a non-binding example. The machine should call you an asshole, and there’s nothing for you to do except agree. That’s unacceptable.

Click here for an example that will lock up some browsers (save your work first!). Once you kill your browser and restart, realize that I didn’t have to give you the option of choosing that behavior: I could have forced it on you as soon as you visited the page. That’s ridiculously unacceptable.

I’m not the first to ask this question. Veeti Paananen asked it at the beginning of 2009. Raymond Camden asked it in 2007, and in the comments people wondered how it could be a security issue.

This was before the MacDefender trojan that infected web advertising servers and image searches several months ago. Part of the reason MacDefender worked is that it couldn’t be ignored. People who are confused about what action to take are perfectly happy to ignore a problem until it goes away; the alert box took that option away from them. The JavaScript alert meant that they couldn’t ignore it until it went away. It was a social engineering attack to get victims to run the downloaded trojan, and it apparently was pretty successful.

Safari is the worst of all of the browsers I tested writing this: alerts will block all windows, windows can’t be closed, and it will never offer the option of canceling the script. I can’t open new windows or tabs, and am stuck until I decide how to deal with the offending alert. That all helped MacDefender get its job done.

Opera JavaScript alert

Opera lets you stop suspicious alerts immediately.

Firefox will present a checkbox to block all further alerts on this page if I hit the “Okay” button ten times, but by then the social engineering attack has already done its job. That checkbox needs to be there on the very first alert, to let people know that this alert is not official, but is rather an untrusted message from an untrusted source. On the plus side, Firefox allows me to close the blocked window without touching the alert box.2

Chrome puts the checkbox on the second alert, rather than the tenth; that’s still too late. To be effective, that checkbox needs to be there on the very first alert. MacDefender didn’t need a second alert to do its job; all it needed was to get the victim to say “OK” once to let their guard down or resign them to doing whatever they thought it was doing. Chrome does not allow closing the tab/window while the alert is there.

Opera is the only one of the four that works correctly. It puts the checkbox for blocking further JavaScript3 on the first alert, and it makes it clear that the alert is not something from the browser but from outside. Opera’s alerts don’t block anything except the current page. The current page can even be closed without touching the alert box.

Of course, MacDefender also made use of the auto-download feature that is still available in most browsers. If you’ve ever been on a page that says “your download will begin in x seconds”, and the download does, in fact, begin, then your browser is also susceptible to this.

For testing, I used Safari 5.1, Firefox 7.0.1, Chrome 14.0.835.186, and Opera 11.51, all for Mac OS X 10.6.8. Except for Mac OS X, these were the latest versions available when I wrote this, and these were the top four browsers for Mac OS X when I wrote this.

April 1, 2016: Safari 9.1 frees your browser from JavaScript lockup

This is not an April Fools’ post. I got mine in early. From my testing using the links in the parent post, Safari no longer blocks closing a tab or window when it displays a JavaScript alert as of at least Safari 9.1. Close Window and Close Tab are available from the File menu, and the close button is available on both the browser window and the tab in the browser window.

Further, they’ve changed the appearance of the JavaScript alert to look like it comes from the web page rather than from the browser or operating system; that is, JavaScript alerts no longer look like they’re official.

They’ve removed the checkbox to no longer show alerts that used to show up on the second iteration of the alert.

July 12, 2015: Safari 8.0.7 can block endless alerts

I just ran some software updates last week, and reading the latest Software Update notes, I noticed:

Fixes an issue where a website could prevent the user from navigating away by presenting repeated JavaScript alerts in Safari.

After doing the update, I went to the parent page and hit the deadly link. Sure enough, on the second iteration Safari added a checkbox to the alert:

Don’t show more alerts from this webpage

Checking that box makes the alerts go away.

Testing what it’s doing under the hood is difficult, as checking that box also seems to block reloading the page. I’m not sure that’s a bad thing.

It appears to disable any JavaScript on the page. I can’t even go to the URL bar and get an alert from:

  • javascript:alert("Hello");

Again, I think that’s a good thing. If the page has potentially malicious JavaScript, block it all.

JavaScript that doesn’t involve alerts also fails from the URL bar:

  • javascript:headlines=document.getElementsByTagName("h1");headline=headlines[0];headline.innerHTML="Hello, World";

So it looks like “Don’t show more alerts” means “stop executing scripts on this page”. The Error Console doesn’t show any errors; the script simply doesn’t execute.

  1. Firefox allows the alert to block the current window/tab, but continues to allow creation of new windows and tabs. Chrome allows the creation of new windows and tabs if you realize that you can click on the underlying page (if all you do is look at the file menu, Chrome’s New Window/New Tab options are greyed out), but the alert remains on top of all new pages and blocks some page functions in the new pages.

  2. I didn’t originally think about that until halfway through writing this article, but that’s probably because of years of conditioning; people not used to previous versions of Firefox and Netscape and other browsers might not have the preconception that windows with alerts can’t be closed.

  3. Its wording for blocking is misleading: it says “Stop executing scripts on this page”. But as far as I can tell, it only stops executing the current script. Other JavaScripts on the page will continue to trigger.

  1. <- Embarrassing password tricks
  2. iPad mp3 recorder ->