Google Plans To Alter JavaScript Popups After Abuse From Tech Support Scammers

An anonymous reader writes: Chromium engineers are discussing plans to change how JavaScript popups work inside Chrome and other similar browsers. In a proposal published on the Google Developers portal, the Chromium team acknowledged that JavaScript popups are consistently used to harm users.

To combat this threat, Google engineers say they plan to make JavaScript modals, like the alert(), confirm(), and dialog() methods, only work on a per-tab basis, and not per-window. This change means that popups won't block users from switching and closing the tab, putting an end to any overly-aggresive tactics on the part of the website's owner(s).

There is no timeline on Google's decision to move JavaScript popups to a per-tab model, but Chromium engineers have been debating this issue since July 2016 as part of Project OldSpice. A similar change was made to Safari 9.1, released this week. Apple's decision came after crooks used a bug in Safari to block users on malicious pages using popups. Crooks then tried to extort payment, posing as ransomware.

Oh well

Took you fucking long enough!

Re:Oh well

[GLMDesigns]

Amen.

Re: Oh well

[DickBreath]

I would support removing popups altogether as you say. I would not support removing Javascript. Applications need Javascript. More and more applications are moving from platform-specific (eg, Windows) applications into the browser.

Maybe there should be some highly visible difference between sites that use Javascript and those that do not? Like the tab changing color -- just to throw up a silly idea.

If Javascript could only affect that one tab that it runs in, then what harm could Javascript do?

Javascript is valuable because you run Linux within a PC emulator written in JavaScript..

Thus, you can have MAME
running on Linux
running on an emulator written in Javascript
running on IE
running on Wine
running on Windows Subsystem for Linux
running on Windows 10
running on VirtualBox
running on Linux
running on the bare metal.

Now why would you want to kill Javascript?

(And yes, Wine now runs on Windows Subsystem for Linux.)

Re: Oh well

[sims+2]

They did that already it's just not a very popular option
chrome://settings/content tick "Do not allow any site to run JavaScript" click done.

Re: Oh well

[sims+2]

I would like to have scroll bars that are consistent some websites hide the scroll bar or make it so small it's hard to hit reliably with a mouse.

Sure it might make the site look a bit better but everyone doesn't have a touchscreen and it sure makes the site a pita to use without working scrollbars.

Re: Oh well

[slazzy]

It did make sense to have some method to confirm closing of a window while the user was in the middle filling in a form for example, however it's abused for more than it's used correctly. That and it's pretty easy these days to save state without an old submit button, so it's really no longer needed. On a per-tab basis sounds like a good inbetween.

Re: Oh well

[Gr8Apes]

You're missing the entire solution there, although you've hit upon a whole bunch of the problems. The real answer is to put the user in control, by default, of the way the page renders. If some JS wants to override the right click, it can only do so within a context wrapped by a control context. That control context will allow the user to, say, force normal right click behavior, or standard scroll bars, or standard left click behavior, for that matter, via simple controls that could be enforced by default on the browser. It probably should be by default.

Re: Oh well

Damn you've been using crippled net so long you didn't notice YouTube can do decent video. That happened years ago BTW.

I leave everything on, Java, JS, Flash.
I don't care. If I get infected all I have to do is clone my old unplugged drive again.

Re: Oh well

[rickb928]

How many of these obscure the scroll bar just to trick you into clicking the page and getting their lovely ads, subscription, and notification come-ons?

Re: Oh well

[rickb928]

"The real answer is to put the user in control, by default, of the way the page renders."

And thereby destroying the core use case for CSS. What?

Re: Oh well

[sims+2]

IDK I think twitch just does it for looks with no option to override.

Re: Oh well

[omnichad]

Badly coded legacy sites.

These are not popups as you traditionally know them - these are like the Javascript alert() and prompt()

Re: Oh well

[LocalH]

HTML, with or without CSS, was never supposed to be pixel-exact. Half of the problems with browsers relates to ignorance and even downright hostility to that notion.

It's fine if there is a "pixel-exact to designer intention" mode, but given the absolute GLUT of shit design, there must also be a "fuck the designer, display things THIS way" switch.

Re: Oh well

[hackwrench]

Java's ability to run anywhere was not it's fatal flaw.

Re: Oh well

[DickBreath]

> I'm confused. Are you being cynical, or are you a web-designer?

Both.

But not 'web designer'. An application developer.

Re: Oh well

[DickBreath]

If you don't like sites that do all kinds of crazy insane things using Javascript, then don't visit them.

The fact that they do this says something about the intentions of the site's owners.

If the site's owners have bad intentions, a technical fix is not going to help for very long. They will find other ways to screw you over. You can't change their bad intentions with a technical fix to your web browser.

Re: Oh well

[Gr8Apes]

"The real answer is to put the user in control, by default, of the way the page renders."

And thereby destroying the core use case for CSS. What?

Apparently you're totally ignorant of the actual purposes of HTML, and CSS for that matter. It's only guidance to how things are to be displayed, it's not nor ever was meant for the developer/designer to actually "control" what comes out on the other end. The sooner you realize that, the happier and more productive you'll be, and the fewer bugs you'll have in your code.

It's taken... how many decades?

[squiggleslash]

Seriously, this has been a problem since Netscape first implemented alert(). Why has it taken this long for someone to fix it?

Re:It's taken... how many decades?

But Firefox fixed this years ago. All of the alerts are bound to the tab and not the window.

Re:It's taken... how many decades?

Firefox fixed this in early 2011. It's Chrome that's lagging behind in this case.

Re:It's taken... how many decades?

[DickBreath]

Just get rid of alert() and make America great again. Or make the Internet great again.

Re:It's taken... how many decades?

[slazzy]

I'd say rather than getting rid of alert, change the way the browser displays the alert to a user. Maybe instead a small bar at the bottom of the page that doesn't interfere with anything would be a better standard way of displaying a message without blocking user interaction.

Re:It's taken... how many decades?

[AmiMoJo]

A better fix would just be to disable the damn thing. I can't think of a single time I've found a javascript pop-up useful.

Re:It's taken... how many decades?

[Gr8Apes]

A better fix would just be to disable the damn thing. I can't think of a single time I've found a javascript pop-up useful.

Oh, all the time, especially when I'm in development.

Re:It's taken... how many decades?

Use console.log

Re:It's taken... how many decades?

[crashumbc]

TIL'd and from a AC !

wow the internet is truly doomed...

Re:It's taken... how many decades?

[omnichad]

That's easy for them when their entire UI is XUL and basically just HTML/JS already.

Re: It's taken... how many decades?

[corychristison]

They are useful for confirming actions, especially delete functions of things. It's not often I use them on a public facing site, though. When it comes to the Administration of the site, I use them frequently.

With that said, I've moved most of my projects to an inline modal (constructed inside of the page using HTML/CSS/JS). Way more flexibility, and less user annoyance.

Re:It's taken... how many decades?

[Carnildo]

Opera's had a "Disable scripts on this page" button in the alert boxes for as long as I can remember.

Re:It's taken... how many decades?

[dave420]

Dev tools can do all that. You can break when elements change, etc., or have JS breakpoints wherever you want. You can even get a frame-by-frame trace of the app's behaviour should you want.

Re:It's taken... how many decades?

[Gr8Apes]

And the dev tools are? Oh yeah, those wonderful browser things appear to be the "best". Compared to other languages and tooling, JS at best has a poor haberdashery of developer tools when it comes to tracing down bugs in logic that may have started 20 closures ago.

Maybe it's different on Linux

[oobayly]

I've found that i can right click on a tab to close it when it's been hijacked by models.

Re:Maybe it's different on Linux

[Stavr0]

I've found that i can right click on a tab to close it when it's been hijacked by models.

Is that the one where one goes down on you while the other steals your wallet? Because I already heard that one.

Re:Maybe it's different on Linux

[Tharkkun]

I've found that i can right click on a tab to close it when it's been hijacked by models.

Is that the one where one goes down on you while the other steals your wallet? Because I already heard that one.

That happened this morning. It felt good until it was really bad.

Re:Maybe it's different on Linux

[Scoth]

They got me three times last week, and twice so far this week. Has to stop.

What the hell

Why the fuck were pop-ups seizing control of the entire fucking browser in the first place?

Re:What the hell

[DaHat]

Isn't that the point of modal dialogs/windows?

Re:What the hell

Yes. The question stands: why the fuck was this behavior ever supported in the first place?

Re:What the hell

[Scoth]

Likely because it dates back to the pre-tab era when you just had one window in the first place. Once tabs became a thing, the paradigm was never updated. Hopefully they get this in there quick.

Re:What the hell

[omnichad]

Even then, one repeating alert() box kept you from closing the browser window.

Re:What the hell

[cfalcon]

> why the fuck was this behavior ever supported in the first place?

You know exactly why this behavior was desired, and it was never in the interest of the user.

How about more info on the dialog?

[swb]

Like the originating URL, submission URL or some general flag that says the pop up is generated by a site, and not the browser.

Re:How about more info on the dialog?

[wonkey_monkey]

I think these modal dialog boxes are always generated by sites, not the browser. You shouldn't need more info, because they should only be shown while you're on the relevant tab (Firefox does this now; it used to force-switch to the tab whenever a modal was generated).

Safari also fixed this...

[SuperKendall]

Not sure when but in Safari Javascript popups come un in the tab, that you can switch away from.

Re:Technical solutions to behavioral problems

[DaHat]

Why not then employ stronger tactics against them... like a broadside?

Just this week I had such a redirect & popup (thanks to a compromised WordPress site I was visiting), noted the # and set it along with a screenshot. A couple of hours later the phone # was no longer picking up as clearly they realized they weren't going to get any more legit calls in through it.

Just in time for HTML5 Web Apps

[mykepredko]

Making the alert, confirm and dialog models tab based seems like a reasonable restriction while still allowing HTML5 apps which will probably use these models for not nefarious purposes. Anything more may be an inconvenience for HTML5 web app authors - but not a roadblock to scammers.

I'm looking at it from the perspective of having done a Google extension which required these models; while being available in the browser using Javascript, they're not available to extensions. As extensions go away and move to web apps, it will be nice to have this functionality as APIs, rather than the Javascript code we had to put together to provide the same functionality in the extension.

And therein lies the rub. If somebody wants to do something, especially if they are trying to steal from others, they will find a way - this is a speed bump at best. I'm sure that even as I write this, someone is coming up with a Javascript (now WebAssembly?) approach to locking up a browser and maybe the entire system until the user gives up their credit card number.

Re:Why the hypocrisy?

[Paradise+Pete]

It's hypocritical to complain about jlJavascript and advertising while making extensive use of it on this site.

The posted article is not "slashdot complaining about javascript." If it were then your statement would make more sense.

It's a big problem

[jshipp]

It's the most common type of call I get now. I support over 1,000 users at various companies around my city and most are using application whitelisting and don't know their own admin passwords, so it's pretty much impossible for them to execute a real virus, the these javascript tricks are scaring them left and right. I get a call almost every day over it. They are so upset they can't settle down long enough for me to tell them "restart windows". When they finally listen to me and restart windows, they wont let me off the phone until after windows has restarted and they see facebook still works.

Re:It's a big problem

[nitehawk214]

It sounds more like a problem with your users being drooling idiots.

Re:It's a big problem

[AmericaRunsOnDunkin]

It sounds more like a problem with your users being drooling idiots.

It's like they say: you can pick your friends, but you can't pick your users. Can't live with them, can't kill them.

Re:It's a big problem

[MightyMartian]

For chrissakes, most users are drooling idiots. Pretty much every application, but in particular every application that connects to the Internet, has to take into account that the odds are fairly good that the person sitting in front of the keyboard is a drooling idiot.

Re:It's a big problem

[Kjella]

It sounds more like a problem with your users being drooling idiots.

Well I've run into some of these that manage to

a) create a pop-up window that covers almost the whole screen without the usual navigation
b) throw the modal dialog in an infinite loop, you must check that little "stop creating dialogs" box to escape
c) use a reload/redirect trigger/timer so you get sent to a new page with a new dialog if you break the b) loop

It's fucking annoying and I could very well understand a clueless user thinking he's been hacked. I've not managed to find any way out of the most annoying ones except to start killing chrome processes in the task manager until I find the right one. Or close the whole browser, but I don't have it set to continue with tabs from last time so that's real annoying.

It's about damn time...

[drew_92123]

As far as I'm concerned browser devs are a bunch of cunts for allowing this shit in the first place and they all should be kicked square in the ass with razor studded boots for not fixing it sooner.

I hadn't noticed

[Solandri]

Since I just disabled all pop-ups entirely. Occasionally I have to turn it on for a banking site and the very rare shopping site. But defaulting it to disabled and enabling it only when needed seems a much more sensible approach than defaulting it to enabled and disabling it on a case-by-case basis.

Re:I hadn't noticed

[wonkey_monkey]

It sounds like you're talking about pop-up windows, not pop-up dialogs, like alert() and confirm().

Re:Why the hypocrisy?

[omnichad]

On really short pages (3 or 4 comments), you can't even scroll to the bottom of the page - the ad js forces you back up. You can't read the last comment on the page without disabling JS.

Like Firefox?

[thisisauniqueid]

Oh, you mean like Firefox has been doing for YEARS? You mean as detailed in bug number FOUR HUNDRED AND FIFTY SIX out of 707,000 bugs filed so far in the Chromium bug tracker?

vagrant up

[tepples]

More and more applications are moving from platform-specific (eg, Windows) applications into the browser.

If an application runs in a Vagrant box, it can run on any platform that runs Vagrant. This includes Windows, macOS, and GNU/Linux. So if the sticking point is being platform-specific, why can't an app be distributed as a Vagrant box, and then the user uses an X11 server or RDP or VNC client to interact with it?

Re:vagrant up

[dave420]

Because the two are not even remotely comparable. Are you seriously asking why we don't download hundreds of megabytes or a gigabyte or two VM image as opposed to 500KB of JS in a browser?

Re:Why the hypocrisy?

[tepples]

Users would be happy to subscribe, but instead of offering that option, we're stuck with potentially malicious ads and trackers.

Slashdot used to offer subscriptions years ago. Nowadays it seems only SoylentNews offers that.

Finally!

[rkagerer]

It's about time they made alert() dialogs tab-modal instead of window-modal. This is not so much news, as poor UX that should have been corrected long ago.

In ten years...

[Parker+Lewis]

... Google will realize scammers are abusing float boxes.

About time!

[sgunhouse]

Opera Presto (that is, versions 12.x and earlier) had this years ago.

Annoying JavaScript behaviors

[thejynxed]

Popups, boxes that follow you around the page as you scroll, sound that over-rides or ignores any browser mute functionality, allowing the close, ok, and cancel buttons to be remapped to anything else than the stated functionality (usually these get remapped to load malware or redirect to another site that loads more unwanted scripts/tabs), forced reload timers, right-click disabling, cascading tab loads, tab locks, automated non-default application launch, automated and silent extension/plugin installation.

The list could go on, but these are the prevalent ones that I've come across.I have no idea if any of these behaviors have a legitimate use at all, but I've yet to come across a legitimate use of any of them.