Open Bug 432687 (eviltraps) Opened 16 years ago Updated 18 hours ago

[meta] Protect users from websites that trap them or destroy their experience

Categories

(Core :: DOM: Core & HTML, task, P3)

task

Tracking

()

People

(Reporter: oxmosys, Unassigned)

References

(Depends on 57 open bugs)

Details

(Keywords: meta, sec-want, ux-control, Whiteboard: [sg:want])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9b5) Gecko/2008041515 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9b5) Gecko/2008041515 Firefox/3.0b5

There are javascript based websites that are traps which cause Firefox to show nasty content and stop answering user requests. Firefox behavior in these situations is really bad since it obey to the code and stop to listen to the user, it's not possible to close, change the configuration, close the tab or even exit Firefox!

A good example is this website (WARNING, this website shows pornographic content and you will not be able to close it without killing Firefox :

www.mylazysundays.com

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
Impossible to move/maximize/close the Firefox window, impossible to change the website, impossible to close the tab and impossible to modify the Firefox configuration.

Expected Results:  
Firefox should accept the user request to change the website or to close the website, and should not accept javascript code which cause Firefox main window to run on the screen and refuse the mouse.

Even if it's javascript, it's a major issue that Firefox refuse any user request in these conditions. There is no reason to justify the user losing control over Firefox.

Firefox should really give the possibility to the user to exit this webpage.
This evil site does several things to get in the way of closing it:

* Tries to move the window around (bug 144069, bug 186708).

* Dozens of alerts in onbeforeunload (bug 391834 would prevent these from appearing; bug 59314 or bug 61098 would let you escape).

* Disables keyboard shortcuts such as Cmd+W.  Perhaps Firefox should not allow sites to cancel certain keyboard shortcuts.
Component: Disability Access → General
OS: Linux → All
QA Contact: disability.access → general
Hardware: PC → All
Then if this website use multiples bugs in Firefox which are already known and have a correct priority, I believe that this bug report should be closed, what do you think about it?
Sure, it could be closed as INVALID, or it could be used as a metabug.  We should make sure there's a bug on the keyboard shortcut issue, too.
I like the idea of using this as a meta bug.  Transforming for that end.
--> Confirmed
--> Setting dependencies
--> And I'll file the follow on bug for the Cmd W redirect.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Depends on: 435501
Added bug 435501 for the keyboard re-mapping issue.
Clint, here's a bug for the keyboard re-mapping issue: bug 340902 (which was itself a duplicate of older bugs). It's marked resolved but I cannot personally confirm that it is a resolved matter.
Component: General → Tracking
Keywords: meta
Product: Firefox → Core
QA Contact: general → chofmann
Alias: traps
Depends on: 450292
Alias: traps → eviltraps
Depends on: 448484
Depends on: 458826
No longer depends on: 448484
I just got tricked into visiting this website. Until now I never saw any purpose for the Noscript add-on, but Mylazysundays made me install it.

I still think Firefox should react on such infinite Javascript loops. For example, if a website shows a few alert windows, after three to five of them another popup should show up and ask "This seems to be an infinite Javascript loop. Do you want to abort it? [yes] [no, continue]".

This might be useful for computer illiterate people who have no clue how to use Noscript. Also, is there nobody who knows the webmaster personally to pay him a visit?
Depends on: 402401
Depends on: 467536
Depends on: CVE-2009-1828
Depends on: 380637
No longer depends on: 435501
Depends on: 331334
google chrome and opera both deal with this issue perfectly.
chrome has a checkbox in the popup diaglog which prevents further dialogs to be created.
opera makes the user's "Close tab" command ABSOLUTE and it overwrites any javascript on the website.
Thanks

The fact that such problems have been around since 2000 with no fix is enough to kill Fx for me.

I will be dropping it and recommending Chrome as the safe web browser from now on.
Depends on: 481625
Depends on: 377496
Even blogspot is trapping the browser these days (onclose = "are you sure you want to navigate away from this page?", though at least it lets you exit). 

It is a bug that such an event even exists.  Closing a tab should "kill -9" the contents.  It should not post any type of event to javascript on the page or count how many alerts the page has popped.  It should just kill the page completely and instantly, along with all alert dialogs from that page.
(In reply to comment #14)
> Even blogspot is trapping the browser these days (onclose = "are you sure you
> want to navigate away from this page?", though at least it lets you exit). 

Some of those Events should be ok. Like asking the user if he wants to save (submit) entered text on the page
(like a program asking if the user wants to save a file when it closes)

So the OnClose Event shouldn’t be kill −9, but more like kill −15 (SIGTERM). (but with an option to just „SIGKILL“ the page, like an app that doesn’t respond to SIGTERM)
Depends on: 455078
Whiteboard: [sg:want]
My rant about scareware in bug 455078 comment 5 might be relevant.
Flags: wanted1.9.2?
Depends on: 530258
Safari by default warns you before closing a window where text is entered on a page.
FWIW: I survive www.mylazysundays.com and similar sites thanks to AlertCheck https://addons.mozilla.org/en-US/firefox/addon/13176
This extension does something similar to what's proposed in comment #7 and Chrome's behavior cited in comment #10
(In reply to comment #21)

Another extension that solves this problem: RightToClick: https://addons.mozilla.org/en-US/firefox/addon/12572
Blocks: 550196
Depends on: 550238
Depends on: 167475, 334426
No longer depends on: 543531
Depends on: 424201
Depends on: 559598
Depends on: 369608
Depends on: 578210
Depends on: 578828
This bug should be resolved in Seamonkey.  I looked at NoScript and AlertCheck.  These are too unreliable or tedious, plus problematic updates. Who wants to spend hours learning how to secure a "secure" webbrowser?  I disagree with Comment 15.  Some kind of verify popup is fine in a program on the user's computer with the user's content, but in the context of the web, where the user does not have control over content, it should never be possible for the user to lose control of the program.  Secondly, if NoScript and AlertCheck can be written, then it should be possible for the developers to incorporate the same functionality.  I just hope something will be done.  Thanks
Depends on: 589166
Depends on: 597934, 598226, 598246
Depends on: 599662
Depends on: 613800
(In reply to comment #28)
We have bug 578828 for what your asking
Depends on: 616838
Depends on: 564337
Depends on: 620615
Depends on: 635888
Depends on: 560767
Depends on: 636374
Depends on: 502561
Depends on: 636905
Depends on: backtraps
Awww, still not fixed...

Can't we temporary set to false default settings of dom.disable_window_move_resize in about:config like I mentioned in bug #648959 ?
Because with this option we have some control. Also Opera and Chrome behave that way too.
(In reply to comment #31)
> Awww, still not fixed...
> 
> Can't we temporary set to false default settings of
> dom.disable_window_move_resize in about:config

I mean set it to true ;p
(In reply to comment #31)
> Awww, still not fixed...
> Can't we temporary set to true default settings of
> dom.disable_window_move_resize in about:config like I mentioned in bug 648959?
> Because with this option we have some control. Also Opera and Chrome behave
> that way too.

See comment 1. That pref also has a UI: Tools > Options > Content > Advanced button next to "Enable JavaScript". Popups should be able to resize and move themselves.
Yep, I know, but this bugs are VERY OLD.
And pasting link to location bar and opening it isn't exactly the popup, because it didn't open any new window.

Opera and Chrome have this disabled as I see, so can't we do the same as workaround until some patch with detection of popups will land ?
This will prevent us for prank sites without option to close tab/window, because keyboard shortcuts are disabled and all application running from mouse pointer.

Odd, that it's still not fixed ;p
Depends on: 565541
Depends on: 616853
Depends on: 669107
Keywords: ux-control
Depends on: 675574
Depends on: 602286
Depends on: 678994
No longer depends on: 550238
Depends on: 748198
Depends on: 763257
Blocks: useragent
Depends on: 705617
Depends on: 856977
Depends on: 808792
Depends on: 861671
Depends on: 907634
Depends on: 909020
Can someone who is more familiar with firefox internals than me comment on 

https://bugzilla.mozilla.org/show_bug.cgi?id=909615#c10

please?

In particular, the user's comment, "The problem is that Firefox works in a totally unexpected way. The user clicked on the tab close button and when a confirmation dialogue appears he expects that this is for confirming the tab close action. I don't see any valid reason for Firefox to disrespect the users wish in this regard. I would be a different thing if the user asked to just close a specific (i)frame but I don't think that Firefox even allows that?"
Depends on: 934083
Depends on: 947518
Depends on: 950336
Depends on: CVE-2014-1500
Depends on: 1003967
Depends on: 1046022
Depends on: 1054966
Depends on: 1107771
Depends on: 1117342
Depends on: 1125285
Depends on: 1131187
Depends on: 510185
Depends on: 1167023
Depends on: 1169918
Depends on: 1180976
No longer depends on: 1169918
Depends on: 685828
Depends on: 1173831
Depends on: 1205678
Depends on: 1208950
Depends on: 676975
Depends on: 839470
Depends on: 1234842
Depends on: 682569
Depends on: 682565
Depends on: 1246773
Depends on: 1199934
Depends on: 1241048
Depends on: 1260612
Depends on: 1263100
Depends on: 1270444
Component: Tracking → DOM
QA Contact: chofmann
Summary: Protect users from Javascript trap websites → Protect users from websites that trap them or destroy their experience
Depends on: 1290834
Depends on: 1310659
Depends on: CVE-2017-5419
Depends on: 1317573
Depends on: 1316798
Depends on: 1329465
Depends on: 1332590
Depends on: 1340634
Depends on: 1344490
Depends on: 1354168
Depends on: 1361653
Depends on: 1362752
Depends on: 1364962
Depends on: 1373353
Depends on: 1380305
Depends on: 1394281
Depends on: 1396381
Depends on: 1311306
Depends on: 1312874
Depends on: 1372085
Depends on: 1404571
Depends on: 647010
Depends on: 1412003
Depends on: 1412559
Depends on: 1416760
Depends on: 1416761
No longer depends on: 1416760
Depends on: 616843
Depends on: 1416345
Depends on: 1425264
Depends on: 1426931
¡Hola!

FWIW http://protectcheckerextt.biz/ff/ does some evil trickery IMHO.

¡Gracias!
Alex
No longer depends on: 1426931
(In reply to alex_mayorga from comment #38)
> ¡Hola!
> 
> FWIW http://protectcheckerextt.biz/ff/ does some evil trickery IMHO.
> 
> ¡Gracias!
> Alex

Can you file a new bug blocking this bug?
(In reply to Marco Castelluccio [:marco] from comment #39)
> (In reply to alex_mayorga from comment #38)
> > ¡Hola!
> > 
> > FWIW http://protectcheckerextt.biz/ff/ does some evil trickery IMHO.
> > 
> > ¡Gracias!
> > Alex
> 
> Can you file a new bug blocking this bug?

I think the main evil-trappery issue with that site was fixed with bug 1412559.
Depends on: 1431861
¡Hola Johann!

The experience at http://protectcheckerextt.biz/ff/ is still somewhat disheartening on today's Nightly IMHO, please see https://www.screencast.com/t/jEb78Gor

http://www.britishxcuisine.com/ is another of those fake sites that was affecting a user enough to file a SuMo question at https://support.mozilla.org/questions/1200872

I'm pretty sure I reported that 1st one via https://www.mozilla.org/en-US/about/legal/fraud-report/ https://www.phishtank.com/phish_detail.php?phish_id=5404958 and https://safebrowsing.google.com/safebrowsing/report_phish/ yet that site is still up today.

How can this be improved?

¡Gracias!
Alex
Flags: needinfo?(jhofmann)
Unfortunately I don't really know the inner workings of our fraud reporting or SafeBrowsing. We're working on the rest of these annoyances in the dependencies of this bug.
Flags: needinfo?(jhofmann)
Depends on: CVE-2018-5179
https://spaming4-info.ml

This site is also really bad!
It can lock the Browser!
The url should be:
https://spaming4-info.ml/error09.com/main3/

Very dangerous!
Depends on: 1439255
Depends on: 1435497
Depends on: 1438214
Depends on: 1444095
No longer depends on: 1208950
No longer depends on: 1241048
Depends on: 1450083
Depends on: 233262
Depends on: 1454063
Priority: -- → P2
Priority: P2 → P3
Summary: Protect users from websites that trap them or destroy their experience → [meta] Protect users from websites that trap them or destroy their experience
Depends on: 1208950
Depends on: 1457693
No longer depends on: 1362752
Depends on: 1306334
Depends on: 1459264
Depends on: 1461327
No longer depends on: 1461327
Depends on: 1454370
No longer depends on: 1454370
Depends on: 1271118
Depends on: 1463833
Depends on: 1464623
Depends on: 1473344
Depends on: 1476357
No longer depends on: 1476550
Depends on: 1412561
See Also: → 1486879
Depends on: 1486879
Depends on: 1488995
Depends on: 1496701
Depends on: 1515073
Depends on: 1515698
Depends on: 1520489
Depends on: 1520589
Depends on: 1492668
No longer depends on: 1272644
No longer depends on: 598246
Depends on: 1522120
Depends on: 1522161
No longer depends on: 1522161
Depends on: 1523249
Depends on: 1524559
Depends on: 1532338
Component: DOM → DOM: Core & HTML
Depends on: 1514413
Depends on: 1538402
Depends on: 1539757
Depends on: 1315803
Depends on: 1543318
Depends on: 1492408
Depends on: 1503661
Depends on: 1559907
Depends on: 1563012
Depends on: 1571003
Depends on: 1571286
Depends on: 1573736
Depends on: 1578453
No longer depends on: 1578453
Depends on: 1192544
Attached video blocked-firefox_3.mp4

this site: h***s://multimilltracks.com/as/de/index.php?clickid=2e64e7sirocmya5b&t1=X2jEBmb1nDc&t2=65681&t3=722534&t4=FIREFOX_68.0&t5=77.191.140.146&t6=flashx.pw&t7={t7}&t8={t8}&t9={t9}&t10={t10}&uclick=7sirocmy (i assume it needs some cookies and maybe same IP is also necessary ) block my firefox

(In reply to Zitronella from comment #47)

Created attachment 9099508 [details]
blocked-firefox_3.mp4

this site: h***s://multimilltracks.com/as/de/index.php?clickid=2e64e7sirocmya5b&t1=X2jEBmb1nDc&t2=65681&t3=722534&t4=FIREFOX_68.0&t5=77.191.140.146&t6=flashx.pw&t7={t7}&t8={t8}&t9={t9}&t10={t10}&uclick=7sirocmy (i assume it needs some cookies and maybe same IP is also necessary ) block my firefox

Thanks for reporting the site, the biggest part of it is bug 1571003.

See Also: → 1588509
Depends on: 1591698
Depends on: 1593795
Depends on: 1596189
Depends on: 1460286
Depends on: 1604720
No longer depends on: 1604720
Depends on: 1615588
Depends on: 1611517
Depends on: 774228
Depends on: 1621424
Depends on: 883818
No longer depends on: 883818
Depends on: 832913
Depends on: 1623920
Depends on: 1631251
Depends on: 1627597
Depends on: 1636944
Depends on: 1644476
Depends on: 1644767
Depends on: 1647019
Depends on: 1653570
Depends on: 1661333
No longer depends on: 1661333
Depends on: 1666131
Depends on: 1670316
Depends on: 1684667
Depends on: 1709183
Depends on: 1711049
Depends on: 1720438
No longer depends on: 1720438
Depends on: 1732135
No longer depends on: CVE-2021-43546
Depends on: 1740836
Depends on: 1749862
Depends on: 1765678
Severity: critical → --
Type: defect → task
Depends on: 1781147
Depends on: 684476
Depends on: 1808893
Depends on: 1811083
Depends on: 607575
Depends on: 1826471
Depends on: 1578220
Depends on: 1880566
Depends on: 1882344
Depends on: 1106944
Depends on: 1884377
You need to log in before you can comment on or make changes to this bug.