Google Plans To Alter JavaScript Popups After Abuse From Tech Support Scammers

An anonymous reader writes: Chromium engineers are discussing plans to change how JavaScript popups work inside Chrome and other similar browsers. In a proposal published on the Google Developers portal, the Chromium team acknowledged that JavaScript popups are consistently used to harm users.

To combat this threat, Google engineers say they plan to make JavaScript modals, like the alert(), confirm(), and dialog() methods, only work on a per-tab basis, and not per-window. This change means that popups won't block users from switching and closing the tab, putting an end to any overly-aggresive tactics on the part of the website's owner(s).

There is no timeline on Google's decision to move JavaScript popups to a per-tab model, but Chromium engineers have been debating this issue since July 2016 as part of Project OldSpice. A similar change was made to Safari 9.1, released this week. Apple's decision came after crooks used a bug in Safari to block users on malicious pages using popups. Crooks then tried to extort payment, posing as ransomware.

Oh well

Took you fucking long enough!

Re:Oh well

[GLMDesigns]

Amen.

Re: Oh well

[Gr8Apes]

You're missing the entire solution there, although you've hit upon a whole bunch of the problems. The real answer is to put the user in control, by default, of the way the page renders. If some JS wants to override the right click, it can only do so within a context wrapped by a control context. That control context will allow the user to, say, force normal right click behavior, or standard scroll bars, or standard left click behavior, for that matter, via simple controls that could be enforced by default on the browser. It probably should be by default.

Re: Oh well

[hackwrench]

Java's ability to run anywhere was not it's fatal flaw.

It's taken... how many decades?

[squiggleslash]

Seriously, this has been a problem since Netscape first implemented alert(). Why has it taken this long for someone to fix it?

Re:It's taken... how many decades?

But Firefox fixed this years ago. All of the alerts are bound to the tab and not the window.

Re:It's taken... how many decades?

Firefox fixed this in early 2011. It's Chrome that's lagging behind in this case.

How about more info on the dialog?

[swb]

Like the originating URL, submission URL or some general flag that says the pop up is generated by a site, and not the browser.

Safari also fixed this...

[SuperKendall]

Not sure when but in Safari Javascript popups come un in the tab, that you can switch away from.

It's a big problem

[jshipp]

It's the most common type of call I get now. I support over 1,000 users at various companies around my city and most are using application whitelisting and don't know their own admin passwords, so it's pretty much impossible for them to execute a real virus, the these javascript tricks are scaring them left and right. I get a call almost every day over it. They are so upset they can't settle down long enough for me to tell them "restart windows". When they finally listen to me and restart windows, they wont let me off the phone until after windows has restarted and they see facebook still works.

Re:It's a big problem

[nitehawk214]

It sounds more like a problem with your users being drooling idiots.

Re:It's a big problem

[AmericaRunsOnDunkin]

It sounds more like a problem with your users being drooling idiots.

It's like they say: you can pick your friends, but you can't pick your users. Can't live with them, can't kill them.