Hello, and welcome
My name is Veeti Paananen. I live in Finland, and I write desktop and web applications using technologies such as Qt and Ruby on Rails. This is my personal website and blog. Close this...
Why can JavaScript & alert lock up a browser?
January 26th, 2009
JavaScript often provides “Web 2.0″ functionality to websites. But one of the simplest commands that is still being used to date is the alert box:
Hello World!
Simple, right? Useful? Yes. But what about websites with malicious intents (we’re using this word in a “light way”; what can JS do?): what if we want to lock up the browser?
Create an infinite loop of alert boxes. The only way out seems to be killing the browser process (or with Chrome, the tab process). This brings us to an question – why?
A good example of this is how in Firefox 2, the Password Manager dialog was intrusive, like this (it also blocked any user input until a button was pushed):
(What happened to the Vista theme?)
While in Firefox 3, it shows up a prompt like this at the top of the page, that does not block any user interaction (like an alert prompt):
Much better
You can see where I’m aiming at. Why can’t we have something like this for the alert box too? Why does the alert box block the browser? The user should still be able to interact with the browser even with an infinite loop of them. A similar solution is used for some security alerts in Internet Explorer, but not any user JavaScript.
There’s actually a Mozilla bug tracker issue about it. From 2000.
Related reading here, here and here.
Hey! Thanks for reading this blog post by me. But before you go, please consider leaving me a comment if you thought the post was useful to you. Thanks!
Thanks for the brush-up. This is annoying as hell! It escapes me why this has not already been fixed?
Trivia: Amazingly you can get out of a JS infinite alert loop. There is a very brief amount of of time where you can still perform actions between alert boxes. I know, I accidentally put myself in one.
While I agree with most of what you mentioned, sometimes there are very valid reasons for blocking completely, like yes/no modal dialogs, which could still be used maliciously. An example of why they are useful is if I try and close or navigate away from a page with unsaved data on it, it could be nice to block and prompt me to warn me that I might lose data. So even if alert was gone, there would still be ways to infinite loop lock. A better solution might be to add a forced timer, so that modal dialogs, including alert, could only be called every 5 seconds. Alternatively, there’s this for your own protection: http://www.tumuski.com/2008/05/javascript-alert-cancel-button/