1431861 - Modal windows render Firefox unusable and may even be a security threat

Status: RESOLVED DUPLICATE of bug 613785

(Core :: DOM: Core & HTML, defect)

Description

[Cedric Wehrum]

Attachment: Firefox_modal_dialogs.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180103231032

Steps to reproduce:

In cases involving infinite loops modal dialogs can cause Firefox to be unusable and I think they may even be a minor security threat in phishing websites. The following issues have to do with modal dialogs in general, but I'm demonstrating them using a website I stumbled upon, found under: http://www.fireerrorfinder.com/firefox/?clickid=wPK52HQ97K2LTJ7B1CGHNT1M&language=en
You don't necessarily need to follow that link, just follow my description.


Actual results:

The numbers I am referring to are screenshots contained in the attached file.
The website in question is a scam that wants you to install a plugin. But before that a couple of windows open up. First you get that confirmation dialog that is shown when you try to reload a page that was generated as an answer to a POST request (screenshot 1). Also the website seems to load content that requires authentication (screenshot 2). After you closed those dialogs Firefox somehow ends up in an infinite loop. It repeatedly shows the dialog from screenshot 1. Between clicking "Cancel", "Resend" or the close button and the next confirmation window there is not enough time to do anything. All of these dialogs are modal, of course. So you can't just close the tab and in fact you cannot use any part of the browser UI. The infinite loop isn't always persistent. It sometimes stops. I wasn't able to recognize a pattern. But when the mouse is about to leave the website it always seemed to restart. So at least I wasn't able to close the tab. I came up with some hacky solutions that made it possible for me to open the JavaScript debugger and to stop the website from executing.
I can't tell if that's an intentional part of the scam (after all it prevented me from using anything from the Browser UI) or a bug in this website. I haven't really dug into the code. However it doesn't really matter. A common user would have had to kill Firefox in order to be able to use it again. And I definitely consider that a bug.
The story goes on, however. When the infinite loop comes to a stop like described above you can see the next dialog (screenshot 3). But it isn't a real window. Instead it is part of the website. After all the other modal dialogs you had to close before that it is really tempting to not read and close that last dialog as well. However it just makes FF go fullscreeen and tries to install a plugin.

(And btw., these problems happen under Gnome as well as under Windows.)


Expected results:

First I should be able to close the tab without having to kill Firefox or to write a script that closes the dialog, opens up the debugger screen and stops JavaScript via keyboard shortcuts, all in the exact same millisecond.

Second I think that dialogs in general should be visually attached to the browser UI in a way that can't be faked by websites. Maybe a popup next to the address bar would do the job. If that popup blocks events from traversing to the website frame but is not modal to the whole window it would also solve the aforementioned problem. I don't think that it makes much sense that these dialogs block whole windows including all other tabs and all menus on the navigation bar. Or is there something I'm missing here? I know that some people would still click on such dialogs. However as even more advanced users as myself can get tricked I think it's a thing to consider.

Comment 1

[Gingerbread Man]

1) Bug 1412559, fixed in Firefox 58.
2) Bug 613785.
3) This one's confusing. I don't see how it's not already tab-modal unless you've changed prompts.tab_modal.enabled to false in about:config.

Comment 2

[Cedric Wehrum]

The last one is not a prompt (separate window). Although it looks exactly like an actual window it is part of the website, implemented using HTML and CSS, and of course it is not modal to the Firefox window. But I wasn't able to click on anything else as every time I moved the mouse to the edge of the website frame that infinite loop of confirmation dialogs started again.

But that was not my main point with the last one. I argued that maybe all dialogs in Firefox should be implemented in a way that cannot be faked by websites. (Like somehow being visually attached to the navigation bar.) That way users don't get confused over what is part of the website and what is an actual window, mapped by Firefox. I think that would make such scam websites more obvious.

Anyway all my other points are covered on the bug report pages you linked. If my last point deserves consideration it is probably better to file a separate report. So I'm marking this as a duplicate.