Closed Bug 520841 Opened 15 years ago Closed 15 years ago

Lock user into feeling forced to say OK to download malicious code

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 123913

People

(Reporter: erik, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) The website mentioned uses a script to repeatedly pop up an alert box, preventing user input. The alert box recurs unless the user consents to install an Active-X control that (probably) contains a trojan/virus/whatever. The best fix would be to NOT use program-modal dialog boxes for ANYTHING related to a web page. Alerts and other modal boxes should ALWAYS be "page modal" ... allowing you to click "X" on the tab you are on (or Ctrl-f4 or whatever) - or "X" on the program itself, or even switch between tabs, etc. Making it possible for a script to block user input to the rest of the program is bad. The browser is kindof like a mini desktop-OS. When one program has a modal box... it doesn't stop other programs from functioning and doesn't stop the user from being able to force-close the program. Likewise, when one webpage has a modal box, it shouldn't stop the user from switching to other pages, or closing the page. Likewise, pages with modal boxes should blink the tab or otherwise indicate the presence of a modal prompt. Note... adding this feature will make already-threatened O/S vendors feel more threatened... so you might not want to add it. Reproducible: Always Steps to Reproduce: 1. Visit that site... beware ... don't install it! http://[TROJANWARNING]infobloggersbeta.com/main.html 2. Prompt to install active-X control 3. Click cancel. Actual Results: Popup, and prompted to install Active-X control over and over in a loop. Cannot switch tabs, cannot exit browser, cannot close tab. Expected Results: I expect to be allowed to leave the page or close the window without clicking "OK" to download and install malware. Popups that are initiated by a web page should be "page-modal" not "program modal". Don't use windows "MessageBox" or similar api calls... just pop your own "page-modal-box" up and set a program-flag that sends all mouse/keystroke events which would normally go to the "page" to that box. I don't really know how firefox is programmed, but i know that modal boxes in web browsers are bad.
The proposed "tab-modal" solution is covered by bug 123913 so I'll dupe to that, but we're not close to that solution. Bug 61098 is an alternate solution to the same attack and at least has a patch that could work.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.