New issue
Advanced search Search tips

Issue 736556 link

Starred by 4 users
Status: Fixed
Owner:
a...@chromium.org
Closed: Jun 2018
Cc:
emilyschechter@chromium.org
est...@chromium.org
creis@chromium.org
alex...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug



Sign in to add a comment

JavaScript dialogs' activation behavior enables abuse

Project Member Reported by owe...@chromium.org, Jun 24 2017 
A popup to callfortechsupport.xyz appeared today and the site found a way to ensure it is continually refocused whenever I tried to swap windows or do anything else. 

Probably worth investigating what they're doing and how to prevent it in the future!

ccing Emily and Adrienne for triage

Comment 1 by emilyschechter@chromium.org, Jun 26 2017

Cc: creis@chromium.org
Errr, maybe +creis has some idea if we know about this bug already?

Comment 2 by creis@chromium.org, Jun 26 2017

Cc: alex...@chromium.org
Owner: a...@chromium.org
avi@ has been looking at similar issues for dialogs.  Maybe he can take a look?  (Also CC'ing alexmos@ for focus knowledge.)

owencm@: Do you have a URL for repro'ing the popup creation?

Comment 3 by a...@chromium.org, Jun 26 2017 

This site first pops up an httpauth dialog (not sure why) and then repeatedly shows a window.alert() dialog. That dialog, when displayed, automatically activates the tab showing it, so even if you switch away to a different tab, you return to this one.

You can close the tab of the abusive website, so that is the recommended way out.

I want to remove the ability for a website to activate itself using window.alert() and window.confirm() dialogs. I haven't started because I anticipate this will be a difficult Intent to push through, but I'm running out of projects I'm currently working on so this one might be next.
Screen Shot 2017-06-26 at 1.19.36 PM.png
190 KB View Download
Screen Shot 2017-06-26 at 1.19.43 PM.png
206 KB View Download

Comment 4 by a...@chromium.org, Jun 26 2017

Summary: JavaScript dialogs' activation behavior enables abuse (was: Site found a way to continually refocus itself)

Comment 5 by a...@chromium.org, Jun 26 2017 

I'm attaching a screencap movie showing the abuse. I don't have audio, but when this page is open it reads in a synthesized voice how my computer is infected and this was detected by Microsoft, etc.

But this just got extremely nasty. It forced itself into fullscreen, and I don't think I'm running the version of Chrome that kicks things out of fullscreen with the alert, so I was stuck in fullscreen because the escape key didn't work with the alerts. Finally I somehow ended up with a window that wasn't in system fullscreen but a full-screen sized window. The app-modal dialog that I used didn't allow me to click out and the dialog was covering the tabstrip. I think it somehow breaks fullscreen on the Mac and jams things up. I was forced to kill and restart Chrome.

The new protections for dropping fullscreen should help here, and we really need to kill dialog activation, but it's not clear exactly what happened.
736556.mov
2.5 MB Download

Comment 6 by a...@chromium.org, Jun 27 2017

Labels: alert-activation

Comment 7 by shrike@chromium.org, Jul 6 2017

Status: Assigned (was: Untriaged)
[MacTriage]

Comment 8 by f...@chromium.org, Jul 12 2017

Cc: -f...@chromium.org est...@chromium.org
-me, +estark

Comment 9 by a...@chromium.org, Jun 8 2018

Status: Fixed (was: Assigned)
Dialogs no longer activate. Follow up if this is still a concern.

Sign in to add a comment