Google's warning: Time's up for JavaScript dialogs that trap you with 'Sure you want to leave?' pop-ups

Google may put an end to pop-up dialogs, a technique used by scammers to scare computer and smartphone users into paying for things they really don't need.


Google's Chromium team have released a proposal to eradicate JavaScript dialog boxes.

Image: iStock

Why browsers still allow pop-up dialogs, which are favored by scammers, is a mystery that baffles techies.

As one user on HackerNews recently complained: "There are still malware and advertising sites out there that allow browsers to use modal dialogs, ie, you can't interact with the page without answering the dialog. You can't even close the tab without getting rid of the dialog," the user wrote.

An insecure mess: How flawed JavaScript is turning web into a hacker's playground

Researchers say tens of thousands of sites are using JavaScript libraries that are years old and contain publicly known vulnerabilities.

Read More

"There are also sites that will kill your page history by going through a bunch of redirects to prevent you from leaving with the back button. Why are these kinds of things allowed and supported by web browsers? Why do they even need the ability to have a pop-up dialog with modern websites being what they are?"

The technique was used in early police-themed ransomware that locked the browser to a page and required payment to unlock it. It's also been abused on Android to raise false alarms about malware infections.

As Malwarebytes noted in response to the Android pop-ups, users can avoid them by disabling JavaScript, but doing so would also disable JavaScript-dependent features on other sites.

To address this abuse of JavaScript in the browser, Google's Chromium team have released a proposal to eradicate JavaScript dialog boxes.

For now, it strongly recommends developers avoid using JavaScript for these boxes. As they note, the pop-ups are "app-modal" and cause the browser's JavaScript engine to pause until a user response is obtained. Hence, they can be abused by ransomware and scareware scammers.

Google is offering three alternatives to JavaScript pop-ups for the alert(), confirm(), and prompt(). methods in JavaScript.

These include the Notifications API to notify users of events, and the HTML <dialog> element for obtaining user input. For cross-site scripting proofs-of-concept, devtool's console.log(document.origin) can be used, according to Chrome developers.

Chrome developers also point to a recently launched project called OldSpice that aims to "tame the power of JavaScript dialogs".

The plan is to "rename the chrome/browser/ui/app_modal directory to be javascript_dialogs."

"It will be the future home of the JavaScript dialog tab helper code, which will not be app-modal, so the name is no longer appropriate for use."

Read more about JavaScript