Closed Bug 369608 Opened 18 years ago Closed 14 years ago

onbeforeunload dialog can be made misleading by a malicious site

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 588292

People

(Reporter: kunakida, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: testcase, uiwanted, Whiteboard: [sg:want P4])

Attachments

(1 file)

Screenshot
29.04 KB, image/png
Details 
User-Agent:       Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

The beforeunload dialog has only the options to go forward and close or to cancel and go back to the page.  And the message in the dialog is generated by the event handler in the page.

Various nefarious websites use this feature to set a message in the dialog that discourages a user from leaving the page, causing them to prefer to cancel out and therefore trapping them. (unless they kill the firefox process, which also kills all the other firefox windows)

I would therefore like to see an additional button clearly labeled to avoid being misconstrued... something like "Force Exit", so the user can abandon the page (and only that page) immediately without processing any more events. 

In other words, the websites that rely on this technique to trap users should not be rewarded with _any_ data collected in the event processing during unloading of the page, even something as limited as the knowledge of which button was pressed in the beforeunload dialog.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
How does this "Trap" users?  You just click the "OK" button (which should be labeled something like "Leave page", but whatever) and you're no longer on the page.  The server can figure out whether you left or not without running additional script after onbeforeunload.
The not so wonderful thing about dialogs with a replaceable message string and an OK/Cancel button pair is that the replaceable message can be just about anything.

Eg. Press OK to approve purchase.  
(specially when the "purchase" is something you don't want)

The point is not that a sufficiently technical person won't figure what to do.  The point is that most people (including even technical people) won't recognize what to do unless they happen to be web developers familiar with the mechanics of the beforeunload event and dialog box.

It's called social engineering.  I suggest you try something similar to the above scenario on some unsuspecting non-techie and see the reaction you get.
I think I see what you're saying now: the dialog can be made misleading enough to make users scared to click "OK".  This is like bug 253942 but with a lower-stakes dialog.

We should relabel the buttons, perhaps to "Leave page" and "Don't leave page".  That would let us get rid of the silly third line in the dialog that attempts to explain what each button does, and I think it would be sufficient for making this dialog unscary.

We should also consider doing something to make it clear that the second line is text supplied by the web page.  For example, putting it in quotes would make sense -- unless the site's text includes quotes or characters that look like quotes.  Some versions of Opera put all site-supplied dialog text (even for alert()) in a rectangle with a different background color; maybe we should copy that idea.
URL: data:text/html,<body onbeforeunload="...
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
Keywords: testcase, uiwanted
QA Contact: general → firefox
Summary: beforeunload dialog needs option to abandon the page → onbeforeunload dialog can be made misleading by a malicious site
Whiteboard: [sg:want P4]
Can someone screenshot this for me? I don't know if I've ever experienced this dialog ...
Attached image Screenshot 
Screenshot of the dialog that appears with Firefox trunk, leaving the testcase in the URL field.
I think the relabelling of the buttons is already pretty well covered in bug 246365: can somebody make this depends on it?
Depends on: 246365
Bug 411855 has an outline and a mockup of how to handle this problem. I think the suggested solution in that bug would work well.
No longer depends on: 411855
Blocks: eviltraps
My dad encountered a fake-Windows-antivirus page that took advantage of the onbeforeunload dialog: "Your system is at risk of crash. Press CANCEL to prevent it."  It seemed to spam this dialog alternately with a download-exe dialog (bug 391834??), all over a background of an "infection detected" scene that looked like part of Windows.

Given that this dialog is part of active, widespread attacks, I think we need to at least fix the button labels (bug 246365) for Firefox 4.  I'd prefer getting rid of the dialog entirely (bug 578828) or omitting the site-supplied text.
OS: Windows NT → All
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: