Closed
Bug 86193
(oncontextmenu)
Opened 24 years ago
Closed 21 years ago
Prevent websites from disabling the mouse right-click context menu - disallow sites access to Window.oncontextmenu and friends
Categories
(Core :: DOM: UI Events & Focus Handling, defect, P3)
Core
DOM: UI Events & Focus Handling
Tracking
()
VERIFIED
FIXED
mozilla1.7beta
People
(Reporter: BenB, Assigned: caillon)
References
(Blocks 1 open bug, )
Details
(Keywords: access, helpwanted, regression, Whiteboard: See comment 149 for instructions on how to use this option | [p-ie/mac])
Attachments
(2 files, 3 obsolete files)
5.60 KB,
patch
|
jst
:
review+
bryner
:
superreview+
|
Details | Diff | Splinter Review |
876 bytes,
text/html
|
Details |
Counter-bug to bug 72084. The option to disallow websites (remote content in general) to interfere with the browser's context menu in any way. Bug 71705 is related, but not a dup.
Reporter | ||
Updated•24 years ago
|
No longer blocks: 86195
Keywords: mozilla1.0,
regression
Comment 1•24 years ago
|
||
See also bug 40535, [RFE] disallow/queue alert (and window.open?) on right- click.
Updated•24 years ago
|
Whiteboard: [p-ie/mac]
Updated•24 years ago
|
Target Milestone: --- → mozilla1.0
Keywords: helpwanted
Reporter | ||
Comment 3•23 years ago
|
||
<ironic>hyatt, right, after all, the web page is what should control Mozilla, not the user. All power to AOL, Microsoft and doubleclick.net!</ironic> Adding some of the "discussion" Jesse promised: <quote src="bug 28604" author="me"> IMO, it is none of the business of a webpage to mess with context menus in any way. Sometimes (e.g. after a window.open or when I minimize the normal chorme), the context menu is my only way to interact with the app. E.g. to access "View Source" or to specify how to open a link or anything. A webpage must not be allowed to interfere with my ability to do so. [I would argue that everything else is close to a denial of service.] I have seen pages that tried to prevent me from looking at the source. This must not happen. In this case, a don't care about any W3C spec. This is basic usability. At the very least, I must have the option (with UI) to disallow such malicious behaviour of webpages. Everything else is IMO a serious bug. </quote> Compare mstoltz in bug 92955: "Sure it's privacy-related. Pop-up ads are a violation of my privacy (in that they are annoying, not that they steal personal info)." (But I don't add |privacy| keyword here.) More discussion: <news://news.mozilla.org/3ACDE0A2.6090209@beonex.com>.
Comment 4•23 years ago
|
||
Hyatt, I think this is a legitimate concern. Please don't mark it wontfix. I may be able to do this with per-event security policies (bug 64737, seems to be the hot issue of the day). Ben, I agree with you that the user should have full control over how, or even if, certain types of content are displayed or scripts run. However, as Shaver pointed out to me, 'privacy' has come to refer to the protection of a user's personal information. So, we need a different term for this. 'Content control' is sufficiently general, though unfortunately it sounds like censorship, which is of course not the idea at all.
Comment 6•23 years ago
|
||
I'm marking this [Aufbau-P5] for now, but the first time a porn site tries to stop me from saving an image, I'm upgrading this bug.
Whiteboard: [p-ie/mac] → [Aufbau-P5] [p-ie/mac]
Reporter | ||
Comment 7•23 years ago
|
||
> [Aufbau-P5] I asked Neils and he told me that this is for bug 107162.
Updated•23 years ago
|
Whiteboard: [Aufbau-P5] [p-ie/mac] → [p-ie/mac]
Comment 8•23 years ago
|
||
I hope, this is the right place. An option to disable right-mouse-button-disabeling with JavaScript would fit very well to the Scripts section in the Advanced Preferences. As it stands right now you need to use WebWasher (or something similar) to achive this. pi
Content stealing is the upcoming hot issiue. There is a growing angry community out there concerned about having their content stolen and displayed as if it was somebodyelse's creation. This has nothing to do with privacy or security. If the page denies you from seeing the source, dont visit that page again. It is that simple. Also, having contextmenu always active will be also messing up the entire idea of XUL. Disable the cookies if you are concerned, you are all set for the good of your privacy; the rest of your concerns are more like specific to your own megalo-browser dream.The ambition of having the full control of the web browser is unfortunately extra-terrestrial. On the other hand, You may create a mozilla version of yours which would do that 'having contextmenu open all the' thing if you wish. That is doable, right? Or there could be a compile time macro which will activate or deactivate the feature you want. with amusement,(Sorry)
Reporter | ||
Comment 10•23 years ago
|
||
Yes, I am that old-fashioned to think that *my* devices should do what *I* want.
There is no option to disable this behaviour, which is exactly the subject of
this bug.
The "stolen content" argument is spurious. People who want to "steal your
content" can just use wget.
> If the page denies you from seeing the source, dont visit that page again.
> It is that simple.
"If you want to prevent your content being stolen, don't put it on the public
internet. It is that simple."
Comment 11•23 years ago
|
||
I agree with Ben and am feeling righteous enough today to feel that I speak for the majority. Disabling context menus does not protect source; it limits access to browser features (like load image, open link in new window, back, bookmark, send page etc). If you want to protect your source, shut off your web server... lest I telnet to port 80 and fetch it myself (not that I want it). -matt
Comment 12•23 years ago
|
||
First, you should speak for yourself. I am not that naive to accept populist argumants like "I speak for majority". Second, I am not concerned about closing or protecting my source. I was refering to people who is angry about it. Third, Are you telling me that one should not put his/her content over the internet because couple of people wants so? Well, in that case, I want to put [right now], for example, my page over the internet and do not want that damn contextmenu over my content, go use the menubar. Do you have any right to stop me doing this? NO! if you dont like my page, dont use my port 80 again. It is my port 80 and the content flowing thru my 80 wants no contextmenu. I dont give a damn about which browser is connected, just my content doesnt want to have contextMenu. Does this breach your security or privacy? Hell No! Last but not least, Hmm, lets see, telnet to port 80 and petch the page hmm?. But I am thinking about using HTTPS and closing the port 80. What do you say Einstein? will you dig the browser cache now? Now please dont go any further and dont try to point me to some third party openSSL HTTP clients. If you are that sophisticated, contextMenu disabling shouldnt bother you at all. end of my involvement with this wanna be BUG. Rest is none of my concern.
Comment 13•23 years ago
|
||
would you guys please cut it out, go to a newsgroup, or die? if people want to protect their work from source sniffing, they should use shockwave or an equivalent.
Comment 14•23 years ago
|
||
timeless, you are perfectly right. I am sorry If I offended anybody; It was definitely not my intend. Well, good luck.
Updated•23 years ago
|
Target Milestone: mozilla1.0 → mozilla1.1
Comment 15•23 years ago
|
||
Here's an idea... Provide a meta key for the right-click that will always open the standard "default" context menu, regardless of what the page does. Example: If you just right-click, you will get the context menu or whatever the page redefined it to be. If you alt-right-click, you will ALWAYS get the default mozilla context menu. This would satisfy both sides; if a page wants to add to the menu, they can... If the page deletes useful commands from the context menu, the user can can still get to them with an alt+right-click (or whatever meta-key is selected), and since the user has to go through extra effort, they cannot complain if some web application breaks as a result. -John
Comment 16•23 years ago
|
||
That's a great idea. It could be done for middle click too (open in new tab). It would also be useful for left click (left-drag, to select text -- I've never found anyone so dumb as to try to prevent copying text, but I bet they exist). I vote for alt too.
Comment 17•23 years ago
|
||
alt-click/alt-right-click/alt-middle-click are commonly-used windowmanager shortcut on Unix. This means programs never get those events. Please do not make any accessibility-critical feature use those combinations.
Comment 21•23 years ago
|
||
This issue stems from the original Mozilla bug (#72084 of 3/15/2001) which I submitted. The purpose of this ability to disable the context menu (in my case) has absolutely nothing to do with preventing the ability to "view source". This can be had via the menu bar ANYWAY. The purpose of this is to prevent the user from selecting the manner in which my application (I repeat, my application) is launched. With the movement well underway to make true web- based applications, the application developer needs to control the manner in which the application is launched and used. With a simple web page, this is not an issue, but with a true web-based application, its a fact that cannot be ignored. The original purpose is clearly stated in the opening remarks of that bug. I've included it below for reference purposes: "Currently, is there any way to completely disable the right-click context menu in the Mozilla browser? For Mozilla to be a valuable business application platform, application developers need a JavaScript event handler exposed to disable the display of the context menu. This would prevent users from inadvertantly opening the current application in a new browser window....which could have serious side-effects in a stateful application model."
Comment 22•23 years ago
|
||
It comes down to whether the web browser exists to deliver applications or content. In the former case, disabling context menus may be understandable. In the latter it is completely unacceptable. Unfortunately, people keep trying to coerce HTML to do both, so there is no way to tell which we're dealing with....
Reporter | ||
Comment 23•23 years ago
|
||
bcortez, we discussed this before on the newsgroup almost exactly one year ago, and I replied to most of your recent statements back then already. See the link in comment 3 and the following thread. > has absolutely nothing to do with preventing the ability to "view > source". This can be had via the menu bar ANYWAY. There is no menu, if the site disabled it.
Comment 27•23 years ago
|
||
by disabling the context menu, websites also prevent me from banning their ad gifs
Comment 29•23 years ago
|
||
Couldn't shift be used as suggested in comment 18 ? That's it: if the user press shift and right-click (or the windows' context menu key), then either no event is sent to the page, or the event is turned into a non-cancelable event. I respect comment 21 as I'm also a web developer and I use the oncontextmenu event to provide a modifed menu under certain conditions (that's it not all the page has blocked the event, only a section that allows me to avoid clutter by providing the options only when needed), but as a user I hate when a page removes the context menu completely. Allowing to use a modifier as Shift it would mean that there's no need for another preference, anyone could surf normaly and if some page is bad designed only by pressing one key we get back the context menu. If the user is in a web application and he uses the trick to use the context menu and then the application 'breaks' then the user is the one to blame because he has used something that the author didn't want to and it's not the same situation like having a preference disabled for all sites and then when he is using the web application he doesn't know that the author specified a special handler for the oncontextmenu. does anyone find any problem to use the modifier key approach instead of a preference?
Reporter | ||
Comment 30•23 years ago
|
||
Yes, it is not discoverable for normal users and I should not have to take special action to resume normal operation of my browser. I want to set a hidden pref (by default) in Beonex Communicator and forget about this crap.
Comment 31•23 years ago
|
||
Is ctrl+PageUp, Ctrl+PageDown discoverable for normal users? Shift+click on links? A shorcut is discoverable if it's documented.
Reporter | ||
Comment 32•23 years ago
|
||
> Is ctrl+PageUp, Ctrl+PageDown discoverable for normal users?
> Shift+click on links?
No, none of them are discoverable.
Sorry for my last comment. But I want a preference which I can set and be sure
that a site will never be able to interfere with the context menu (esp. not
remove options). Other options to circumvent bad sites are fine with me.
Comment 33•22 years ago
|
||
> > has absolutely nothing to do with preventing the ability to "view > > source". This can be had via the menu bar ANYWAY. > There is no menu, if the site disabled it. There is always Ctrl-U. I don't think there's any way a site can disable that.
Comment 34•22 years ago
|
||
Sure it can. Just coopt the "ctrl-u" shortcut and preventDefault() or preventBubble() the keyboard event.
Comment 35•22 years ago
|
||
Can oncontextmenu="return false" be disabled with security policies as described in http://www.mozilla.org/projects/security/components/ConfigPolicy.html ? I've tried permutations of: user_pref("capability.policy.default.document.oncontextmenu", "noAccess"); but haven't been successful. The examples at the ConfigPolicies URL all deal with access to properties, while oncontextmenu is an event. So there are no templates there on which to work from.
Comment 37•22 years ago
|
||
The default operation should definately be not to let sites do ANYTHING with the right click. I think this operation belongs to kiosk mode and because Mozilla doesn't have such mode (yet), bug 72084 is invalid. Anyway, I'll be happy if this appears as a checkbox on preferences, but the default should be not allowing websites touch it. Making users shift-click or something is just not good design for content viewer. Web designers shouldn't use right mouse button for anything vital anyway - many people don't even have such button or need to access its function by longer road.
Comment 38•22 years ago
|
||
I'll never understand, why this ideotic event handler got added. It's not a W3C Standard, it's not required to get any page usable or looing better, it's only to let some kiddies think they are cool, if they block your right mousebutton and replace this by sometihnk, which should make this a security related bug, like a window.open() or even nicer - self.close(). It is not possible to perpit content any layout stealing and this doesn't even make it more difficult (or do you think those people are to stipid to disable JavaScript?), it just and simply makes realy _every_ page a risk, as you'll never know, what's hidden on the right mousebutton.
Comment 39•22 years ago
|
||
I think Bug 167396 has the same roots. (Disables selecting text by mouse besides context menu) Its URL has a very annoying example.
Comment 40•22 years ago
|
||
I think this bug should be more general. Right now it only focuses on context menu, while bug 167396 focuses on text selection. Why not making this bug a general bug to not allow pages to prevent ANY mouse button function from working? After all the solution to the problem is the same for both mouse buttons, isn't it? While these might be two different preference settings, I still think it's basically the same bug (it should also cover capturing of middle mouse button if this is possible in JavaScript).
Updated•22 years ago
|
Alias: oncontextmenu
Severity: normal → major
Comment 42•22 years ago
|
||
Let me jump in here. One of the powerful things about the Mozilla preferences is the "allow scripts to" functions. It is great that I can configure what mischief I want to disallow web developers from using on me. I just ran across a tag: <oncontextmenu='return false'> where the web developer has disabled the context menu. This basically nulled the right clicks, preventing me from viewing page source, or even opening a link in a new tab or window. Mozilla has long not supported reassigning of the mouse buttons, and that's good. There should be an item in the "allow scripts to" for "allow/disallow mouse button tampering". I realize this suggestion expands the scope of this bug, but it also perhaps makes it easier to deal with. I notice it is languishing and has not been worked on.
Assignee | ||
Comment 43•22 years ago
|
||
This should do the trick. The pref name is up for debate, and whether or not we want a UI is up for debate too. Whether or not this will even be taken is up for debate since this is a conscious decision to enable this feature for IE compat. Nonetheless, here is the general work needed to make this happen. BenB said he was going to adopt this and attempt to get it into Mozilla, if possible, and if not, then at least into Beonex.
Comment 44•22 years ago
|
||
Two questions: 1) Should we silently ignore the call, or should we generate an exception? (I lean towards the former, I guess) 2) If the latter, could we do this in the script security manager and for all events, a la the existing capability policies?
Comment 45•22 years ago
|
||
Re comment #44 1: Bug 117707 fixed that disabling status bar JS changes would not throw an exception. The logic (and part of the patch?) used there could perhaps be applied to here. The blocked oncontextmenu call should show up as a message on the JS console. Re comment #44 2: Extending the fix from this bug to other events (onhover, onfocus, etc) would fix Bug 150872.
Comment 46•22 years ago
|
||
Not really. It would give an on-off switch, which is not nearly as flexible as the security policy mechanism. Unfortunately, this last just throws exceptions...
Assignee | ||
Comment 47•22 years ago
|
||
Boris, I asked jst about exceptions last night before submitting the patch. No exceptions should be thrown from addEventListener. So we should silently ignore it as I've done.
Comment 49•22 years ago
|
||
"BenB said he was going to adopt this and attempt to get it into Mozilla, if possible, and if not, then at least into Beonex." Funny how this super-ego thing really works. Why dont you guys keep this in Beonex and leave Mozilla alone? I think it is an excellent idea to keep this in Beonex only. You dont want contextmenu disabling deal, go use Beonex. I support this 100%.
Comment 51•22 years ago
|
||
> Why dont you guys keep this in Beonex
Because I do not use Beonex and have no plans to use Beonex. I _do_ however
want to control _my_ browser (notice that it's _mine_, not _yours_).
Comment 52•22 years ago
|
||
Why is it that the idiot web dee-zine-ers who put in those truly retarded scripts to attempt to disable features in users' browsers aren't being egotistical (along with being imbeciles), but those of us who want our browser of choice to provide the ability to ignore these attempts are showing "super-ego"?
Comment 53•22 years ago
|
||
I dont know! why dont you ask them? their egoistic page does not bother me because I wont visit their page again if it really bothers me; however, everybody should be given the freedom to do whatever they wanna do with their content. The freedom must not work one way. Site designers should be given freedom to disable interfaces given over their content. If that bothers you, you are free not to visit their site again. If they dont want you to select text or download picture, they have a freedom to do so, and you have a freedom to not to visit that site again. Although the browser is your browser, content displayed is not. Context menu opened over the content should be considered as part of the content and content owner should be given freedom to disable it(a custom menu can be used by content for right click for example). Mozilla has advanced features, and right click could be used for other purposes by a content. Instead of always opening contextmenu, there could be other options like a menu option to show list of images to download, or copy the entire text. Content area should not be yours to play with unless you are given permission to do so. If you ignore fundamentals like this, Mozilla will be accepted only by a fraction of users out there and that fraction's fraction already includes you all. I have nothing else to say, but hope that a netscape Project manager reviews this before you guys manage to put this inside mozilla by only asking 1- 2 developer's okay.
Comment 54•22 years ago
|
||
Regarding comment 53, I think this approach is totallyu incorrect. If a web designer does not want me to download an image from her page, she should not post that image on the page. If she would like me to see but not download the image, she must state it clearly in a copyright notice before giving access to the imgae. This includes disabling all direct access to the image on the server side. In any case, a HTML tag to disable the context menu is NOT a legal agreement, and the user agent may ignore it as it see fit. The content posted on the site is the HTML source and image binary data, no more. In absence of a legal agreement between the publisher and the user, the user and user agent have the implict right to render this publically available data in any way they seem fit, . In any case the user agent, as it's name implies, should be designed to the serve wishes of the user- not the web publisher. Therefore, the user agent must not allow the web publisher to irreversibly disable or cripply its function.
Comment 55•22 years ago
|
||
Why did you pull it to legal perspective now? I am pointing to crippling a very useful feature of Mozilla. If you are concern about your legal rights, it is perfectly legitemate for you to use a browser which may 100% obey your legal way of thinking, like an alternative, Beonex perhaps. And my comments were not some approach, they are the acute facts themselves. Mozilla have no future if it does not get acceptance from enterprise and if Netscape drops it because of that, you will go to sourceforge.net and wait for hours for a browser download patched by a group of ideological egosteers. It will be marginalized overnite.
Comment 56•22 years ago
|
||
Bora123: Can you name 1 site that has replaced the right click menu with something usefull ?
Comment 57•22 years ago
|
||
There is freedom on both sides... a web developer is free to insert stupid scripts that attempt to disable functionality for the user... and the user is free to set his/her browser to ignore them. It's a free 'Net... Web developers who put such moronic scripts in place are the ones who are "crippling a useful feature of Mozilla"... putting in the ability to disable such things is *adding* a very useful feature to Mozilla.
Comment 58•22 years ago
|
||
#53, sounds like you're using these kind of eventhandler and fear that Mozilla
users might be given the power to easily use the context menu on your website :P
If someone absolutely wants to copy a webpage, there are various possibilities
tools to do so.
Why would an *option* to disable unwanted features lower Mozilla#s acceptance?
It is your right to not visit those websites that block the context menu. I see
it as my right to have _my_ browser that is not controlled by _anyone_ but myself.
I know many people that would love Mozilla even more for having such feature and
some who would switch from IE just to have great anti-annoyances settings.
Why would the context menu be part of the content? It offers actions Mozilla
executes, and not something the author of the website created.
As you can see if you take a look at the "Votes", the interest in this feature
is quite high - there are only 149 bugs with more than 22 votes.
Also, what's your problem with having the full control over your browser (#9,
#12, ...)? Sounds really like _you_ are having the problem here. Don't want the
control? Fine, don' enable the tweaks. But why should not others benefit from
it, and have a browser _they_ like, without the need to recompile?
You said you were done with this bug (#12), yet you continue argueing.
Regarding #55,
> it is perfectly legitemate for you to use a browser which may 100% obey your
> legal way of thinking
why shpouldn't Mozilla be this browser?
Concerning the bug and the propoals, I find the meta-key idea to switch between
*my browser's* contextmenu and the possible replacement by the website quite
nice, however since I'm not a programmer myself I'm not the one to give advice
here. Personally I would be fine with just a pref to generally disable
oncontextmenu handler.
Sorry for voicing my opinion but after getting spammed (j\k) by your discussion
[yeah, my faul, I subscribed to this bug ;) ] and after reading #53 I felt the
urge to disburden myself.
Comment 59•22 years ago
|
||
First up, Bora123, before I even get into specific counter-arguments and contradictions, your bombast ("I dont know! why dont you ask them? ") and exaggeration ("It will be marginalized overnite.") are not helping. Even if you consider the proposal(s) and argument(s) on which you are commenting to be ridiculous, their authors do not. Please consider this when wording your comments. Alternately, perhaps it would help if, as per your own suggestions on two seperate occasions, you were to stop commenting on this bug entirely. -- The entire "webpage authors have a _right_ to control how their publically available page/application works on a users device" argument is bogus. If authors did have such a right, then users would not have a right to view a page that looked anything different to what the author intended; this would make certain browser bugs a violation of authors' rights. This would also mean that visually impired people and people using mobile or non-graphic devices would not have the right to use the page. Much of Bora123's language is from the standpoint that authors do have such a right, but as soon as legalities were introduced, he didn't understand why. To be advancing, now, the weaker argument that authors should simply have this ability is hypocritical as it means arguing against this, but allowing to pass all of the other items in Advanced/Scripts & Windows, plus cookie control, image blocking and disabling of Java[script]/XSLT. (I accept the possibility that some would see cookie control as special case.) These are all features that many users desire and use _specifically_ because it allows them to frustrate misbehaviour on the part of webpage authors. A paricularly interesting wrinkle is that page authors can use the context-menu blocking to (presumably inadvertently) prevent users from blocking banner ads. Part of this problem may stem from a misunderstanding on Bora123's part that the context menu is part of the "content", despite close to two decades of UI practice. Speaking entirely for myself: for a long time my preferred means of going back a page was to depress the right button, make a tiny clockwise motion with my right wrist, then release. This generally happened so fast that the context menu never even appeared, and was certainly faster than dragging the mouse up to the menu bar. I am still a heavy user of the context menu, even if less so than before. It's also true that I like the GIMP with its deep and near-complete context menu. Others may differ, but I suspect that a great many people depend upon being able to have the context menu function correctly (correct in the sense of the principle of least surprise). Bora123 made another odd argument (read: non sequiter) about access to port 80. Switching to port 443 is somewhat irrelevant against content "theft". Very few people would ever attempt to "steal" an image with a telnet client; if not their normal browser, I imagine they'd ordinarily use wget, lynx or links - all of which are SSL-enabled. It would appear that the demark is pretty obvious: the author should control what goes out of port 80/443/etc., the user should control how the content is made to appear on his/her device. Various posters have made suggestions which appeal: - If it is reasonable for the user to decide whether or not a webpage author can override right-mouseclicks, it is probably reasonable to extend the same choice over the other buttons, either at a per-button granularity or all-in-one. - The Advanced/Scripts & Windows preferences sheet is an excellent (dare I say "obvious"?) place to put such an option, if is to be placed in the UI at all. Whilst I am sympathetic to Lasse's suggestion that the option should default to preventing webpage authors from having any control at all, I think that it makes sense for Mozilla to continue its approach of turning all author-accessible features on by default and allowing users to selectively disable them. - The Shift as "I really mean it" modifier has a precendent of sorts in Shift Reload causing the cache-prevention headers to be included in the request. As a user when I find the need to use this, my way of thinking is "Yes, _really_ reload". In the same sense, "Yes, _really_ give me the context menu" has a certain appeal, if there aren't other dire consequences. This would also allow web-app developers to build what they want, but still leave users able to make use of the browser's interface; the browser being an application too, and one that ought to be representing the user's wishes where possible. This also plays well with the original intent of #72084 being about inadvertence.
Comment 60•22 years ago
|
||
I thank you for your crisitism over my arguments Mr.Turner. I understand the difficulties you have had with right click disabled pages and your concerns on visually impaired. However, there are other versions of browsers out there which will satisfy specific needs, and you have just skipped that argument throughly. I understand your fixation on Mozilla, it is the human nature perhaps. But we have to think the future of this browser not the specific individual's wish lists. I do not know how well of a DOM programmer are you, but I am telling you next year or so there will be unignorable applications written in Browsers and they will demand right click to be available for somethingelse other than the obvious. regards,
Comment 61•22 years ago
|
||
@bora123 Could you please name just one single case where there is any use (for the user) in not letting her chose to have a context menu. If not, *please* stop trolling.
Comment 62•22 years ago
|
||
Re comment 60: OK... if there are some (hypothetical) applications that won't work correctly if the user overrides the site's attempted alteration/disabling of the right-click menu, then any user wishing to use such sites will need to turn off this feature. The instructions and help screens for that site/application may need to make this clear. If a user keeps the feature in a setting that interferes with the functionality of the application, then it will be the user's fault if the application doesn't work. This doesn't mean that Mozilla shouldn't have the capability of letting the user configure this feature, just as it already has configuration settings for such things as blocking images, popups, and cookies, which potentially may make certain sites (especially those that consider themselves "applications") to fail to work. The user has a tradeoff to consider between possibly interfering with the functionality of sites versus putting up with annoyances that could be disabled. In the end, it's the user's choice to make. As for the presence or absence of this feature affecting the future of Mozilla, I think Mozilla's future is much brighter if it has a wider range of features allowing the user to have more control of the browsing experience, instead of being forced into passively accepting whatever trendy idiocies get pushed on it by Web authors. Microsoft has already cornered the market for software designed in the mindset of "Where do we want to force you to go today?" [tm]. Mozilla will get more people switching to it as they realize it lets them gain more control instead of surrendering it.
Comment 63•22 years ago
|
||
I too think there should be an option (like the popup blocking) to disallow web sites from interfering with the user interface. here is an example: http://www.music4games.net/f_garritan_orchestralstrings.html It both blocks right clicks and *selecting*. Now THAT is very annoying.
Comment 64•22 years ago
|
||
IMHO the only argument against disallowing fiddling with the mouse is comment #21, which sais: 'If the users can go back and forward, my stateful application will break.' Before designing such an application though, be aware of the fact that http is not stateful at all. You can use cookies to keep some state, but still it just isn't designed to do what you want. If you want to be stateful, all you can do is write it in javascript and put it all in one big page. It'll keep its state, for as long as your page is on screen. Or if you want to be fancy, use XUL. Just don't expect to use simple html and http to do what you want. It won't. Look at some of the better (IMO) web applications, like bugzilla itself. Press back and forward all you like, it'll still work! The worst thing that that can happen is that something will be submitted twice. The coders could even prevent that by using formkeys (one time keys in hidden input fields). Other working applications: - sneakemail.com - slash more?
Comment 66•22 years ago
|
||
->default owner
Assignee: joki → saari
Target Milestone: mozilla1.1alpha → mozilla1.4beta
Comment 67•22 years ago
|
||
I have read all the comments but I'm not wiser as to how this has been/will be solved. Of course web developers must have access to modify or block or replace the context menu with a menu of their own. It IS a CONTEXT menu. But if you want to tuck in a "disallow scripts to disable the context menu", that's fine with me as long as it's not a DEFAULT option.
Comment 68•22 years ago
|
||
> Of course web developers must have access
That's what web developers all say. And all the users say, "No, this is _my_
context menu with options that _I_ want in it." Therein lies the core conflict.
Comment 69•22 years ago
|
||
I don't really see the core conflict. The user selects his browser not the website developer. Therefore the application should be written for the user not the website developer. The only reason I switched to Mozilla is the Preferences/Advanced/Scripts & Plugins options page. Those options elude to a design philosophy that I wanted in my browser. Which ever browser exists that most closely adheres to that philosophy will be the brower I use.
Comment 70•22 years ago
|
||
> The user selects his browser not the website developer.
And the developer chooses which browser he supports. If he sees that something
is not possible with some browser he will say that you must use another one in
order to access that site.
You'll say: "Then I won't go to that site".
Fine, you can do the same right now.
I think that everyone here wants Mozilla to be a better browser, so let's stop
saying "I'm right and you're wrong"
Comment 71•22 years ago
|
||
> Of course web developers must have access to modify or block or replace
> the context menu with a menu of their own.
Of course.
And of course email authors must have access to modify or block or replace the
context menu of the receiver's email client.
And let's allow PNG images to modify or block or replace the context menus of
our image viewers.
And I'm sure we all agree that TV stations desperately need the ability to
reprogram the buttons on your remote control.
Why do so many "web developers" think they have a constitutional right to
control every aspect of how *my* computer behaves? You're writing HTML, not an
operating system! There is a difference, despite Microsoft's efforts to make you
believe otherwise.
(For the record, I'm a professional web developer.)
Comment 72•22 years ago
|
||
Jonas, I can see how your reasoning but I don't think we can compare mediums which are static and passive to a medium which is built for interaction. I build applications which run in browsers and all I want is to be able to provide the same features and functions to Mozilla and Explorer users (which in this particular case is a customized contextual menu). Of course I can remove those functions for Mozilla users, but it just doesn't feel right. BTW, Doesn't digital-tv let the content providers change the functionality of some of the buttons on the users remote/box ;)
Comment 73•22 years ago
|
||
> And the developer chooses which browser he supports
the e-commerce site developer chooses which browser he supports based on:
a. the controls the browser gives him over the user
or
b. the percent of market share the users of that browser represents?
Is there a w3c standard somewhere thats says the browser must give control of
the context menu to a website developer?
If a browser wants to put in the option of enabling users to hand over control
of the context menu for some specific IPs, so that companies can do stuff on
internal applications, fine.
But to allow any random site to take control of the context menu by default is
not consistent with the philosophy that lead to the options provided to Mozilla
users in Preferences/Advanced/Scripts tab.
Comment 74•22 years ago
|
||
I like the Preferences/Advanced/Scripts options and i think that it should be possible to block sites from intercepting the right and middle clicks. (But it should be off by default)
Comment 80•22 years ago
|
||
I have read most of the thread and it seems the whole thing revolves around DRM. Frankly, I do not agree with that arguement at all: If the content needs to be kept private, there are other options (encryption, login procedures etc). The reason why I would like the popup never disabled is to be able to use tabbed windows without having to use a keyboard shortcut + click. Did we not invent popups so that we could click instead of pecking the kb? Why go back now? And, I really fail to see the arguement that 'undisabled popup' should be made optional and be 'disableable' as default... Is this not a prime example of desiring security (!) by obscurity? And, what security are we talking about?
Comment 81•22 years ago
|
||
Taking bug. I'm going to add an option to disable the oncontextmenu handler, but the handler will be enabled by default. I'll add it to the Scripts & Plugins pref panel.
Assignee: saari → mstoltz
Comment 82•22 years ago
|
||
Well, Great that is it! I have been waiting to hear this. That is why I like open source projects alot. People discusses for months on something, then one person comes out and says ok whatever, I am doing this, dont like it? go take the front! Well done, well done indeed. While at it, why not make an events tab on preferences, and make all the events not cancelable. That will add more onto the future success of Mozilla.
Comment 83•22 years ago
|
||
re: bora123@yahoo.com I don't agree. Feature to block event cancel will likely lead to regressions. For example, an XUL/HTML application may need to cancel event that it trigger. Or an existing application may count on its ability to cancel event to work properly. We'll probably need to discuss if we need to keep track of where and how events are triggered, event scope, etc. At this moment, we should enable blocking of event cancel only if there is a need.
Comment 84•22 years ago
|
||
It's very simple. He who writes the code makes the decisions. This holds for all projects; open and closed source alike. The only difference is that with open source you're free to write the code yourself if you want to be calling the shots.
Comment 85•22 years ago
|
||
>It's very simple. Yes it is. noone infact denies that. >He who writes the code makes the decisions. This holds for >all projects; open and closed source alike. I believe this is really not what you really meant. If individualism is the essence of an open project, that project is doomed anyways. On the other hand, what is the purpose of allowing people posting comments to the bugzilla alltogether then? >The only difference is that with open source you're free to write the code >yourself if you want to be calling the shots. Okey, alrighty then.
Comment 86•22 years ago
|
||
> I believe this is really not what you really meant. If individualism is the
> essence of an open project, that project is doomed anyways.
I said exactly what I meant, modulo the fact that "he who writes the code" can
be a group of people.
Comments are read. Sometimes they are acted on. There is no obligation to do
the latter.
Comment 87•22 years ago
|
||
Mitchell, I am glad that you decided that way. And, you are correct (IMHO) in considering it a bug, rather than a feature. It was, after all a case reduced functionality. Thank you.
Comment 89•22 years ago
|
||
FYI: on http://doa2.host.sk it's impossible to rightclick
URL: http://doa2.host.sk
Assignee | ||
Comment 90•22 years ago
|
||
Mitch, did you want to do this the way I approached it in attachment 101389 [details] [diff] [review]? If so, feel free to assign this to me since I already have it done that way in my tree (UI included).
Comment 93•22 years ago
|
||
Comment on attachment 101389 [details] [diff] [review] Concept patch Chris's patch looks fine, just need to come up with a pref name. I propose dom.disable_contextmenu_listeners. Any objections? We should add a default pref in all.js too. It will default to not blocking context menu listeners. Can I get an sr?
Attachment #101389 -
Flags: superreview?(heikki)
Attachment #101389 -
Flags: review+
Comment 94•22 years ago
|
||
Comment on attachment 101389 [details] [diff] [review] Concept patch caillon's patch looks fine to me, let's do it. For the pref name, I propose dom.disable_contextmenu_listeners. Any objections? We need to add a default pref to all.js too; I'll take care of that. It will default to false (don't block the listeners). Can I get an sr?
Comment on attachment 101389 [details] [diff] [review] Concept patch >Index: content/events/src/nsEventListenerManager.cpp >=================================================================== I think IsCallerChrome() should be called earlier so that we wouldn't do all that extra work to bail out at the end. If IsCallerChrome() is fast, how about: + if ((aSubType & NS_EVENT_BITS_CONTEXTMENU) && + !nsContentUtils::IsCallerChrome()) { My suggestion for a boolean pref name would be: dom.event.contextmenu.enabled Rationale: * This could easily be extended later for other DOM events * DOM event names actually don't include the "on" part * We could extend this for other properties regarding the event
Attachment #101389 -
Flags: superreview?(heikki)
Attachment #101389 -
Flags: superreview+
Comment 96•22 years ago
|
||
Shouldn't we return an error code, rather than NS_OK? (which may allow Web monsters to check if oncontextmenu is blocked). just a reminder: dom.*.enabled is reverse of dom.disable.* :-) I guess it's now too late to ask dom.event.contextmenu.enabled to be true by default eh?
Keywords: access
Assignee | ||
Comment 97•22 years ago
|
||
Returning an error code would cause script execution to stop. So, no... ;-)
Assignee | ||
Comment 99•22 years ago
|
||
Comment on attachment 101389 [details] [diff] [review] Concept patch Erg, so this patch used to work but doesn't seem to anymore (at least for the oncontextmenu="return false" case)... Not sure why just yet.
Attachment #101389 -
Attachment is obsolete: true
Updated•22 years ago
|
Blocks: patch-soap-opera
Comment 102•21 years ago
|
||
From an enterprise point of view please make sure that oncontextmenu events are available via a preference or a security settings. Many Enterprises use this feature for their internal and B2B web applications to provide their own menus. The key here must be that what ever you decide to do, enable/disable by default - it must be possible to allow the application to override the event easily, without further installations. Why not model this after popups, by default it allows an app to override the oncontextmenus - when an application tries to do so, the user is informed "the current page has tried to hijack your context menu, would you like to disable this as default in your preferences" and then given the options "this page, this domain, all pages" Please dont underestimate the need for this. Mark mproctor@cisco.com
Comment 103•21 years ago
|
||
I just added a "restore context menu" bookmarklet to http://www.squarefree.com/bookmarklets/zap.html.
Comment 106•21 years ago
|
||
It has something to do with the frames... If you access the resulting page directly (http://ontherise.free.fr/explorer.html), it's ok. I'm pretty sure I've seen some other other bookmarklets deal with frames, so there should be some way to handle that.
Comment 107•21 years ago
|
||
Bookmarklets can only recurse into frames whose URL have the same domain as the frameset.
Comment 111•21 years ago
|
||
Is a preference really the best way to handle this? Some sites may have a valid use for occasionally overriding oncontextmenu. A pref would be all-or-nothing. And unless you're going to provide an status-bar indicator like Firebird has for popups, a user could go unaware they are missing functionality or content on a site. My suggestion would be to leave right-click as is. The action defaults to the context menu, but can be overridden by a web page. However, Ctrl+right-click would always show the context menu. Control could act as sort of a 'force the default' modifier. This could apply to the other mouse buttons as well, as I believe they too can be overridden.
Comment 112•21 years ago
|
||
> My suggestion would be to leave right-click as is. The action defaults
> to the context menu, but can be overridden by a web page. However,
> Ctrl+right-click would always show the context menu. Control could act
> as sort of a 'force the default' modifier. This could apply to the
> other mouse buttons as well, as I believe they too can be overridden.
There may be valid reasons (even though I don't see any reason why some "web
designer" should interfere with my UI), but typically all those application are
abusive. So the option should be to change as suggested and not make it more
complicated as you describe, maybe the other way round. But the latter might be
too complicated and if you need it you can swith off the option anyway.
pi
Comment 113•21 years ago
|
||
Several Mozilla prefs have the effect of occasionally removing functionality from sites without the user necessarily noticing it. The anti-popup prefs, and the hidden pref to disable the target="_blank" attribute opening new browser windows, are like this; I have those set myself, and sometimes get temporarily baffled at a site's behavior as a result. Turning off JavaScript, images, cookies, or other things that are disablable, can also produce silent loss of functionality in sites not designed to gracefully degrade. All of this doesn't mean that these preferences shouldn't be provided; it's ultimately the user's decision to decide between the annoyance of having sites do things and the annoyance of having sites fail to do things.
Comment 114•21 years ago
|
||
The attached screenshot shows http://markl.f2o.org/Right_Click_Menu.html - note that the site'e menu is shown where the right mouse button was clicked, while Mozilla's menu appears on the far left edge of the window. There are several advantages to this solution: 1. Both Mozilla and the website remain fully functional. 2. Easy for end users to understand. 3. There is no need to add prefs. 4. No keyboard shortcuts are wasted. Prog.
Comment 115•21 years ago
|
||
> http://markl.f2o.org/Right_Click_Menu.html
I see this right mouse button overloading like a real annoyance. Web sites
should not be allowed to do so, or at least an option in the browser should be
provided to forbid such an overloading. I don't care if I lose functionnalities,
the web site should not rely on such annoying techniques and re-think its design.
Why is it annoying ? Because you lose your usual context menu, with all the nice
options you get there and you are used to. Give me my browser user interface back.
Comment 116•21 years ago
|
||
I am not sure if I would agree with the alternative offered by prognathous@hotmail.com (right-click override/overload). I would not mind if it was a button which displayed the site-specific popup, but the moment it takes over my right-click action (forcing me to use shift-right-click) I am totally alienated. I must add, though, it does look an interesting feature. Yet, I really think some other UI solution needs to be found (say, automatically a different color etc) for the point that uses such right-click overriding. And, it should be part of the standard somehow. Adem
Comment 117•21 years ago
|
||
a sample site that changes (not disables) the right click menu is http://www.milonic.com , which is different from the example in Comment #63 (i didn't notice any disabling on that example, however). using milonic's menu, i can't copy a link location nor open the link in a new tab with my mouse (though ctrl+click does still work). however, the very nice thing about this particular site is that you are allowed to disable their custom menu. i doubt many sites care enough to give users that option.
Comment 122•21 years ago
|
||
Is this bug going anywhere? I notice it has a lot of votes, and I think that there is enough justification for inclusion of some kind of workaround or fix in Mozilla and Mozilla Firebird builds. There's no real reason why this shouldn't be an option in the Web Features > Advanced section of Firebird and/or the equivilent in Mozilla. Javascripts modifying the actions of mouse buttons is extremely annoying, and ultimately doesn't stop anyone "stealing" any content, as if protecting your content via that way was ever feasible anyway.
Comment 123•21 years ago
|
||
I like the idea of using "Ctrl+Right Click" to force the display of the context menu. I first voted for this bug because I had in mind a lot of web sites which overload the right click only to forbid the use of the context menu. However, the right click may be used for a real feature. For example, here is a drawing script which let you paint with a color on the left click, and another color with the right click : http://mess.genezys.net/Drawer/
Comment 127•21 years ago
|
||
I'd like to propose a summary change for this bug, to something like "Scripts & Plug-ins Preferences should have "Disable mouse right-click" option", or "Prevent websites from disabling the mouse right-click context menu". That'd prevent people (like myself <g>) from filling duplicates. I did search for a duplicate, but got nothing. Marcos.
Comment 128•21 years ago
|
||
> "Disable mouse right-click" option",
> or
> "Prevent websites from disabling the mouse right-click context menu"
I'd rather the wording be something like this:
"Allow websites to disable your right-click context menu"
Which means the default is to *not* let the websites disable
your context menu.
Updated•21 years ago
|
Summary: There is no way to always open the context menu upon right-click (oncontextmenu?) → Prevent websites from disabling the mouse right-click context menu - disallow sites access to Window.oncontextmenu and friends
Assignee | ||
Comment 130•21 years ago
|
||
This taps right into the contextmenu code itself and does a much more thorough job of tackling this problem. If someone sets the pref (I like heikki's suggestion for the name) then we functionally need to do the same thing as my earlier patch, however since we are in the middle of contextmenu code which is fired by chrome, the script context is always chrome, so I can't just check whether the script context is chrome as I did before. So we need to do things manually and check the document principal of the event target node against the system principal.
Attachment #132318 -
Attachment is obsolete: true
Assignee | ||
Comment 131•21 years ago
|
||
Ok, this should be cleaned up enough for reviewing and pushing into the tree.
Attachment #142892 -
Attachment is obsolete: true
Assignee | ||
Updated•21 years ago
|
Attachment #142937 -
Flags: superreview?(bryner)
Attachment #142937 -
Flags: review?(jst)
Comment 132•21 years ago
|
||
Comment on attachment 142937 [details] [diff] [review] Patch for reviews I do not see any change made to any .js file for the default value of the preference...
Assignee | ||
Comment 133•21 years ago
|
||
That's because I'm not changing any default value. You want it? You do the work to turn it on. That means manually. With about:config. With whatever pref name is checked in.
Assignee | ||
Comment 134•21 years ago
|
||
Note that this probably should get UI rather quickly. Asa said he could get someone to do that once this part landed.
Severity: major → normal
Status: NEW → ASSIGNED
Priority: -- → P3
Target Milestone: mozilla1.4beta → mozilla1.7beta
Comment 136•21 years ago
|
||
Comment on attachment 142937 [details] [diff] [review] Patch for reviews r=jst
Attachment #142937 -
Flags: review?(jst) → review+
Comment 137•21 years ago
|
||
(In reply to comment #133) > That's because I'm not changing any default value. You want it? You do the > work to turn it on. That means manually. With about:config. With whatever > pref name is checked in. How is a user supposed to know about the new pref's existence (until the UI is in place)? Shouldn't it be added to all.js, with the default value being "true" to preserve the current behaviour, and preferably with a comment explaining its purpose? (Also, there is a bug somewhere for documenting all the prefs.) Other than that nit, it's great! Thanks a lot for the work. This is very useful.
Comment 138•21 years ago
|
||
I don't like the idea having it a global pref. Why not making a configurable security policy out of it? This would give the user more ability to fine-tune the behaviour.
Comment 139•21 years ago
|
||
Comment on attachment 142937 [details] [diff] [review] Patch for reviews I think this patch does preserve the current behavior by default. GetBoolPref will fail with no default in all.js. However, for clarity, I'd like to see the default be added to all.js rather than being implicit in the code. sr=bryner with that change.
Attachment #142937 -
Flags: superreview?(bryner) → superreview+
Assignee | ||
Comment 140•21 years ago
|
||
Checked in 03/05/2004 18:58 PST. Someone probably wants to file a new bug for the UI (don't assign it to me, it will just sit around gaining dust).
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 141•21 years ago
|
||
So what does this patch actually DO? I don't see a description anywhere. Best I can tell from the code itself, it's an all-or-nothing pref, as I greatly feared (see my only other remarks, comment 111). I'm occasionally annoyed by sites overriding my mouse buttons, but I would be even more annoyed about silently losing site functionality. I'm very sad to say that I won't be able to use this new pref at all, and sites co-opting my browser will remain a problem.
Reporter | ||
Comment 142•21 years ago
|
||
Jeremy Dolan, it seems to (haven't run it yet) completely disable all access of sites to context menus, which is exactly what I (the bug reporter) asked for. (Thanks caillon!, and sorry for my poor inaction on this bug.) You are free to file a new bug about making the backend site-specific. > file a new bug for the UI Bug 236643
Comment 143•21 years ago
|
||
(In reply to comment #142) > > file a new bug for the UI > > Bug 236643 Bug 236643 is a duplicate of Bug 117532, which is in the dependency list of this bug. In other words, Bug 117532 is about adding UI for this bug...
Comment 144•21 years ago
|
||
I understand the right way to add this pref in prefs.js or user.js is: user_pref("dom.event.contextmenu.enabled", true); Is it correct? BTW, such info should always be _easily_ available in pref bugs to help testing them.
Comment 145•21 years ago
|
||
I just fired up Stipe's unofficial 3/6 build (which does have this patch). Setting seems to work great on the test site: http://doa2.host.sk But the errors that appear in the JS Console Error: uncaught exception: Permission denied to set property HTMLDocument.oncontextmenu Appear even when this pref is set to true, or not set (in other words, the error is still thrown when the site is ALLOWED to set oncontextmenu). Shouldn't this error only be thrown when the site is -not- allowed to do this?
Assignee | ||
Comment 146•21 years ago
|
||
Josh, you probably added a capability pref to block HTMLDocument.oncontextmenu which you would need to remove -- this patch doesn't throw any exceptions anywhere nor does it even go near the setting of anything. This just hooks up into the event dispatch code and makes sure that in cases where the event would have been silently dropped without the pref set now will go through.
Comment 147•21 years ago
|
||
-> VERIFIED FIXED Thanks! Works like a charm.
Status: RESOLVED → VERIFIED
Comment 148•21 years ago
|
||
(In reply to comment #144) > I understand the right way to add this pref in prefs.js or user.js is: > > user_pref("dom.event.contextmenu.enabled", true); Wrong. You have to set it to false if you want to have always a context menu on right click! The default in GRE\...\all.js is true. Note: Attachment 142937 [details] [diff] (the patch) contains a typo in the pref name (dom.event.contextmenu.enable instead of ~.enabled). That has confused me. But the correct patch was checked in. :-)
Comment 149•21 years ago
|
||
Here's the layman's explanation: 1. In the address bar, type about:config and press Enter 2. Search for a Preference named dom.event.contextmenu.enabled 3. Double click its entry and change it to "false" (without the quotes) Mozilla will now show the context menu even in pages that try to hide or replace it. Prog.
Whiteboard: [p-ie/mac] → See comment 149 for instructions on how to use this option | [p-ie/mac]
Comment 151•21 years ago
|
||
even better, a testcase (dynamicdrive -alert())... and some more urls :P http://www.dynamicdrive.com/dynamicindex9/noright.htm http://www.mailmontage.com/index_test.html this works great, many thanks to all!
Comment 152•21 years ago
|
||
One part appears not to be complete yet: when the context menu is opened after the script handled the event, is is opened wherever the mouse is after, say, you close an alert box, not necessarily where you first clicked, and will have object-specific entries (view image etc) based on that second position. So the image context menu blocker on dynamic drive sort of defeats it (unless you have a spacebar key)
Comment 154•21 years ago
|
||
It needs a way to differentiate between code running on web pages and in extensions. In 1.7 rc1, the Tab Scroller extension does not work completely with context menu-blocking-blocking enabled; the regular context menu opens after the tab switches.
Updated•6 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•