Why browsers still allow pop-up dialogs, which are favored by scammers, is a mystery that baffles techies.
As one user on HackerNews recently complained: "There are still malware and advertising sites out there that allow browsers to use modal dialogs, ie, you can't interact with the page without answering the dialog. You can't even close the tab without getting rid of the dialog," the user wrote.
"There are also sites that will kill your page history by going through a bunch of redirects to prevent you from leaving with the back button. Why are these kinds of things allowed and supported by web browsers? Why do they even need the ability to have a pop-up dialog with modern websites being what they are?"
The technique was used in early police-themed ransomware that locked the browser to a page and required payment to unlock it. It's also been abused on Android to raise false alarms about malware infections.
These include the Notifications API to notify users of events, and the HTML <dialog> element for obtaining user input. For cross-site scripting proofs-of-concept, devtool's console.log(document.origin) can be used, according to Chrome developers.