Why can JavaScript & alert lock up a browser?

January 26, 2009

JavaScript often provides “Web 2.0″ functionality to websites. But one of the simplest commands that is still being used to date is the alert box:

JavaScript alert dialog

Simple, right? Useful? Yes. But what about websites with malicious intents (we’re using this word in a “light way”; what can JS do?): what if we want to lock up the browser?

Create an infinite loop of alert boxes. The only way out seems to be killing the browser process (or with Chrome, the tab process). This brings us to an question – why?

A good example of this is how in Firefox 2, the Password Manager dialog was intrusive, like this (it also blocked any user input until a button was pushed):

Firefox Password Manager

While in Firefox 3, it shows up a prompt like this at the top of the page, that does not block any user interaction (like an alert prompt):

Firefox 3 Password Manager

You can see where I’m aiming at. Why can’t we have something like this for the alert box too? Why does the alert box block the browser? The user should still be able to interact with the browser even with an infinite loop of them. A similar solution is used for some security alerts in Internet Explorer, but not any user JavaScript.

There’s actually a Mozilla bug tracker issue about it. From 2000.

Related reading here, here and here.

blog comments powered by Disqus