The bigger problem is that a authentication dialog is a window modal, which makes the entire browser inoperative. If it wasn’t for this, you could simply close the tab with the malicious site.
This broader issue is reported on the bug #123913, which is 17 years old. The bug is old enough to drive.
We have no law about age of consumption but we have a law about a minimal age of buying; it has almost no sanction though and the worst you risk in spending a few hours or a night in a "drunken" cell at the police station. On the other hand we do have strong sanction for selling to someone under the legal age.
About the age of buying it used to be 16 years old but the law was changed to put it at 18 for liquors and hard alcohol back in 2009, since then most maps you can find on the internet about drinking age often put us at 18 but in reality it's still 16 for wine/beer/cider/...
The change was to fight whisky/vodka/rhum/... binge drinking by high schoolers.
(driving age is 18, or 16 is you're accompanied by an adult and passed a specific kind of driving permit)
Not to defend Mozilla's inability to prioritize, but ...
Isn't that a common issue across browsers? I know on iOS, I get burned by shady sites on Safari that do redirects and pop up a browser-level modal that somehow stops me from closing the tab until I turn off Javascript and restart the browser.
That must be on an older iOS version? Pretty sure that on recent versions the modal dialogs are actually not modal anymore and are rendered 'in content'. So you can always close the tab.
Why the negativity? Software is fluid and never perfect. And specially the fight between browsers and malicious sites won't stop at any time ... At least they recognized the problem and acted on it.
Ironically, I've dropped Chrome on Windows because of the very same issue several years ago. There were more than a few sites like this; the only way to close the tab was killing the entire browser with the task manager. I've been occasionally stumbling upon sites like this for a year and a half, and the bug hasn't been fixed this entire time. Then I switched to Firefox, which has a feature to bail out from the endless loop (the 'Prevent this site from creating additional dialogs' checkbox), and never looked back.
So I guess there's more than one way to aggressively keep the tab open.
One of the sites opened fullscreen mode to hide browser UI. Note that currently web browser developers are implementing a fullscreen mode with keyboard lock that is much harder to leave because it blocks most of system key combinations: [1]. The only keys that will still work are Ctrl + Alt + Del or holding an Esc for two seconds. And as I assume you cannot leave it using mouse or touchpad.
Another problem is that browsers are tol complicated. Building Firefox from source requires you to have a powerful machine with multicore CPU and lot of memory and comilation would take a lot of time. This could stop people from contributing fixes.
> Note that currently web browser developers are implementing a fullscreen mode with keyboard lock that is much harder to leave because it blocks most of system key combinations. The only keys that will still work are Ctrl + Alt + Del or holding an Esc for two seconds. And as I assume you cannot leave it using mouse or touchpad.
What possible justification is there for this? Looks like this can become an ideal way to 'force' unsuspecting users to interact with a malicious site...
If I had to guess, I'd say games. Browser games just refuse to die. I thought they'd die with Java applets, then with Flash, but they just keep coming back...
One of the main reasons wouldn't like to see browser games come back is that they are usually basically 100% tied to a server. They're not like standard games, where even if the servers go down, you still have the files and can either keep playing offline or even hack together a server implementation. Once the server goes down, that game is gone[1].
Not to mention, that if an industry were to arise around web-based games, most would probably either be the "free but pay-to-win and with ads" kind, or on Netflix-style subscription platforms where you don't actually own anything and you're just paying for the access.
[1] - not saying it's impossible to preserve it, just that it's not preserved by default, like a locally-installed game is
This is no longer true for even locally installed games. If Ubisoft's uPlay disappears tomorrow, your locally installed games are just useless bits.
Many very nice web based games exist, and many can be saved to disk and launched from a local html file just fine. Many games target the web browser because it's easily cross platform, requires no install, and is easy to convince new players to give it a try.
> Richly interactive web sites, games and remote desktop/application streaming experiences want to provide an immersive, full screen experience. To accomplish this, sites need access to special keys and keyboard shortcuts while they are in full screen mode so that they can be used for navigation, menus or gaming functionality.
Note that this proposal is still in Editors Draft (meaning it hasn't even been proposed as a Working Draft yet, they're still in the process of writing the initial proposal). It could very well be rejected, and I hope it is.
It's being championed by the Chromium team, and just because Chromium has turned something on doesn't mean it's a standard. It just means that Chromium doesn't know how to properly launch experimental browser settings behind user flags, <rant>because apparently we've all learned literally nothing from the early days of browser-specific CSS tags and the botched release of flexbox</rant>.
Remember HTML imports, Observable, etc... there's still plenty of time to file issues[0] and participate in conversation about the feature[1]. And I encourage you to do so, because speaking as a game developer on the web, this is a bad feature that shouldn't be built.
I've had relatives tricked by this and called the number for "Microsoft Support."
They were using Chrome. Clicking on the browser outside of the page area resulted in the tab going full screen again somehow, and they used multiple other tricks to make the page impossible to close (e.g. looping message boxes).
I don't think browser vendors take these issues very easy. But when I tell relatives to hit the escape key and it DOESN'T work, it isn't helpful.
Also, Escape key won't work if you had pressed F11 to switch to a fullscreen mode. Furthermore, browsers like Opera remember this setting and restore fullscreen mode (along with the page content) even after restart. I saw a case when a user somehow has opened a page with ads in fullscreen mode (probably it was done for watching a movie) and it was restored even after exiting and restarting the browser. So I killed the browser with Task Manager, restarted it and the fullscreen ads appeared again.
I (an experienced user) couldn't quickly figure out that it was actually a fullscreen mode, couldn't understand why the browser doesn't launch and thought it was some kind of virus in the system. I figured it out only when I tried to move mouse upwards and a browser UI appeared.
> this issue has gone unfixed, for unknown reasons
The reason is just that no-one has thought it important enough to fix, and/or no-one has been able to get sufficient agreement on what the correct fix is. Let's not pretend there's a mystery.
Something like 80-90% of their revenue comes from Google. Their higher-ups can spin it all day, but they know damn well their jobs depend on a good relationship with Google.
Or even indirectly, the YouTube team might choose to instead send them an IE6-era experience of YouTube instead of the current one to avoid the bug, which might push users away from Firefox.
In my experience with Firefox devs, if it's not important enough to fix immediately, bugs will simply be closed and ignored. I've come across other bugs that exist for 10 years (not security related) which were closed again each time they were brought up every few years.
Clearly, in the eyes of browser developers basic UI is far less important than 3d rendering, web assembly, progressive API and other features used by .000001% of all websites.
AFAIK, there are still no usable built-in date pickers or upload controls.
The built-in datepicker has so many issues (from immutable styling to the format it uses to basic usability), no serious website will ever use it.
As far as uploads, no large website ever uses the default ones. All of them roll their own using JavaScript APIs. The most popular example is probably Gmail attachments.
Pure curiosity, what's the advantage of this? What am I missing?
The user can't leave the malicious domain, but they also can't interact with the page, because the dialog is in the way. And even if they could, are they really more likely to trust the site after it's made a bunch of random popups appear in a row?
Is it just malice? What does the malicious site gain?
I assume the idea is that on the page visible behind the dialog are instructions to call some number, or open the download, or approve the extension the site wants to install.
Having spent a couple of years working for tech support for a large retail chain, I can confirm that this happens much more often than you might think. Non-technical users are floored the browser locking up, especially if the site starts to do something alarming like play an audio file telling them their computer is infected. If they were lucky and brought it to me in that state, I'd teach them about their task manager and how to close the browser, and warn them about visiting suspicious sites. But if they actually called the number, and in some cases, allowed the scammers to remote into the machine... all bets were off. There was no telling what we would find.
>Just show a nonmodal dialog for popups like [...] chrome.
But in some cases, Chrome has modal dialog popups that Firefox does not. I made a previous comment about this and you can test that behavior on a safe site like regex101.com:
The solution is simple and there are other problems with having a modal dialog (I can't think of many dialogs that should be modal when they only affect one tab). For example if you want to lookup a password for the dialog you have to open a new window.
The possibility to show popups and popovers in browsers should be removed completely.
There are little to no legit uses for them. Even reputable websites use them only to nag and annoy their users.
And don't get me started about Javascript. This is a plague, that causes more problems than it solves.
But this isn't a discussion about whether or not modals are good idea. The OP was arguing —without any idea what the mechanics are, I'm sure, because that's how we decide how technology works these days— that CSS should not be allowed to layer and position one thing over another.
Modals have a place, but like everything, they get abused by people with no idea about how things should work. But that isn't a good standalone argument for going back to pre-1997 CSS.
What gets me, and makes me sad, is how javascript-enabled browsers (and really the magic happened with IE and its XMLHttpRequest) are clearly addressing a need the vast majority of the computing world has: running applications simply (without installing, because that's been made complicated) and with a reasonable expectation of security (sandboxed).
For all the time browsers have been providing this, no one's ever come even close to a good alternative.
That's why the JS-powered browsing experience will never go away, there's nothing like it for how people actually use computers now.
This has been something that irritates me. If I want to copy a password for a site in another tab. Oh look I can't. This isn't just a stupid bug, it's terrible UX. I have to open either another Firefox window, or another browser entirely (better safe than sorry!) in order to find that password for a site that didn't intend to hijack focus for the login screen.
Or how about sites like the one where this article actually appeared (zdnet) making it very difficult (some are impossible) to use the back button? I clicked the article on HN, read it on zdn, and had to hit "back" about 10 times to get back to HN, which was the "previous page visited."
Ironically enough, when I go to that site, I immediately (feel like I) lose control of the browser because it pops up the "do you want to allow notifications on this site" which stops me from scrolling down on the keyboard.
I wasn't complaining about the bloat (already have uBlock), I think I just need to turn off requests for notifications. (Or even better, have intermediate option where I can be aware that it wants to send me notifications, but where it doesn't take the focus off and interfere with my plugins like Vimium.)
Yet another reason to use an extension like uMatrix to disallow javascript by default, and only allow the absolute minimum that sites you trust need to function.
If you're a power user, this kind of "can't leave me" sites are a rare and minor annoyance - you know that they're sandboxed and can't do anything bad unless you allow it, and you'll have it cleaned up WAY faster than the time you'd have spent managing JS exceptions and debugging sites that broke in non-obvious ways.
And if you're setting a computer up for a non-poweruser, you can't deploy uMatrix because you really can't expect the user to do said debugging.
Not allowing JavaScript turns into a chore when you find out that websites break in non obvious ways. I do not want to manually enable/disable JavaScript when the browser is a means to an end for me.
I've used a few solutions: privoxy, noscript, uMatrix and now uBlock origin. The later was a little confusing when I started using it, but now I get it and love it.
A very good thing is that most websites use external javascript to implement the most annoying "features" like asking for consent, tracking, autoplay and diverse pop-up junk.
Also it includes the "cosmetic filtering" that allows me to block html elements by name, very useful for subscription requests.
Only when I browse in other people's computer, I'm reminded how screwed the web really is.
That's why I'd like to suggest a three-phase solution: the first phase is advocating for using JavaScript for progressive enhancement only; the second phase is a JavaScript blocker; the third phase is using three-phase power to deliver mild electrical shocks to web developers who abuse JavaScript.
Seriously, though, you're right — and every time I'm forced to enable a new JavaScript source in uMatrix, I'm angered at the site which requires it. In some cases, I just don't even bother using such sites — why buy something from someone who respects neither me nor the Web enough to provide a usable site without tons of JavaScript?
On a previous job, we had a “be a one day support desk” mandatory training, but I took only months after I entered.
One of the funny discoveries was supported platforms and setup bugs are filtered very fast and just flagged as such.
The only monitoring was the up or down trends for that kind of complaints. It includes people on IE6, those using their fridge browser to open the site, or apps that showed the site under some broken in app browser. So people blocking javascript are just a drop in that global number, and if the number is mostly constant it just won’t matter what happens in it and reports won’t even get to the devs.
ha! a typical response is "we thank you for taking the time to contact us and value your opinion. our website is best used with Google Chrome and javascript enabled. Do you have any other problem I can stonewall you about?"
I've registered my fair share of complaints about javascript problems, nobody does anything ever. Except once when I complained a bug triggered epilepsy, that got their attention real quick.
I say it every time that people say "Firefox is great now!". Just look at the Bugzilla, and tell me that among the thousands of reports (many of which have gone untriaged for around a decade!) there aren't at least a handful of serious issues like this.
One, among many, of the reasons I use Chromium is that I see reports taken absolutely seriously, especially any report with any potential security outcome. Even seemingly minor issues or feature requests I've filed with Chromium get thoughtful and prompt responses.
I wish Mozilla the best, but the quality of Firefox is low in a way that I notice every time I use it; I'd appreciate it if they go back to basics and actually try to address at least the known issues with the software.
Every browser is like this. Browse the WebKit or Chromium bug trackers and you will see the exact same: thousands of issues - these are all large projects with a backlog.
This broader issue is reported on the bug #123913, which is 17 years old. The bug is old enough to drive.