Re: [whatwg] JavaScript Hovers and Back Button

2016-04-14 Thread Darin Adler 
> On Apr 14, 2016, at 10:38 AM, Arvind Nigam  wrote:
> 
> I wish to add that this issue is a bit more annoying on mobile: both on
> iPad and iPhone.
> 
> Once the webpage loads, it goes into a JS invoked confirm/ok modal that
> would not relent -- not without seeking credit card info or something else
> to let you off the hook. The site that I saw today was somehow phishing a
> *.gov url too, using serious/ even scary warnings with quotes from Federal
> Law / websites... :-)
> 
> The only way out then was to delete the browser from my iPad and reinstall
> it clean.

The problem you describe above was addressed by Apple in iOS 9.3 and also in 
Safari 9.1 on Mac. That release changed the style of JavaScript alerts so that 
they are less likely to appear to come from Safari, the operating system, or 
Apple. They look more like part of a webpage, and no longer interfere with 
closing a tab or webpage, using the back button to leave the webpage, or using 
the smart search field to enter a new search or website address.

I don’t think that’s the same topic, though, as what this thread was originally 
about.

— Darin

Re: [whatwg] JavaScript Hovers and Back Button

2016-04-14 Thread Arvind Nigam 
Hi,

Unlike others on this thread I'm a little more ordinary user of the web.
Came across one such modal just today!

So thank you for reporting this.

I wish to add that this issue is a bit more annoying on mobile: both on
iPad and iPhone. I guess the behavior on Android phones too will also be
the same, but this needs validation.

Once the webpage loads, it goes into a JS invoked confirm/ok modal that
would not relent -- not without seeking credit card info or something else
to let you off the hook. The site that I saw today was somehow phishing a
*.gov url too, using serious/ even scary warnings with quotes from Federal
Law / websites... :-)

The only way out then was to delete the browser from my iPad and reinstall
it clean.


Cheers,

On 14 April 2016 at 10:45, Yay295  wrote:

> *Windows*
> IE11, Chrome: Navigation buttons are blocked while modal dialog is shown.
> Firefox: Navigation buttons remain usable.
>
> On Thu, Apr 14, 2016 at 8:34 AM, Majid Valipour 
> wrote:
>
> > > A very common abuse is that when pulling the mouse to hit the back
> > > button because you are not interested in a page, a hover comes up and
> > > when the hover comes up, the back button no longer works.
> >
> > Does 'hover' refer to modal dialog e.g., window.alert?
> > That is the only way I know that you can block a user to click back
> button.
> > Here is a simple page that does this: http://jsbin.com/fuwosaxefa
> >
> > That behavior is a side-effect of how a browser may decide to implement
> > modal dialog which is dependent also on the OS. I tested a few browsers
> on
> > Linux & Mac and this is what I found:
> >
> > *Mac*
> > Firefox, Chrome, Safari: Navigation buttons are usable while modal dialog
> > is shown.
> > *Linux*
> > Chrome: Navigation buttons are block while modal dialog is shown.
> > Firefox: Navigation buttons remain usable.
> > *Windows*
> > 
> >
> > Perhaps this is worth a non-normative note in the spec in "user-prompt"
> > section [1]
> >
> > [1] https://html.spec.whatwg.org/multipage/webappapis.html#user-prompts
> >
> > Majid
> >
> > On Thu, Apr 14, 2016 at 4:38 AM Delfi Ramirez 
> > wrote:
> >
> > > Agree.
> > >
> > > May it be done within the History API spec?
> > >
> > > Just wondering.
> > >
> > > ---
> > >
> > > Delfi Ramirez
> > >
> > > My digital signature [1]
> > >
> > > +34 633 589231
> > >  del...@segonquart.net [2]
> > >
> > > twitter: delfinramirez
> > >
> > >  IRC: segonquart Skype: segonquart [3]
> > >
> > > http://segonquart.net
> > >
> > > http://delfiramirez.info
> > >  [4]
> > >
> > > On 2016-04-13 21:44, Michael A. Peters wrote:
> > >
> > > > It needs to be made very clear as a web standard that no JavaScript
> > > action can disable UI functions such as the back button.
> > > >
> > > > A very common abuse is that when pulling the mouse to hit the back
> > > button because you are not interested in a page, a hover comes up and
> > when
> > > the hover comes up, the back button no longer works.
> > > >
> > > > This is a browser UI issue but it needs to specified that browsers
> must
> > > not disable the back button in response to JavaScript. The web is
> enough
> > of
> > > a cesspool as it is.
> > >
> > >
> > > Links:
> > > --
> > > [1] http://delfiramirez.info/public/dr_public_key.asc
> > > [2] mail:%20del...@segonquart.net
> > > [3] skype:segonquart
> > > [4] http://delfiramirez.info
> > >
> >
>

Re: [whatwg] JavaScript Hovers and Back Button

2016-04-14 Thread Yay295 
*Windows*
IE11, Chrome: Navigation buttons are blocked while modal dialog is shown.
Firefox: Navigation buttons remain usable.

On Thu, Apr 14, 2016 at 8:34 AM, Majid Valipour 
wrote:

> > A very common abuse is that when pulling the mouse to hit the back
> > button because you are not interested in a page, a hover comes up and
> > when the hover comes up, the back button no longer works.
>
> Does 'hover' refer to modal dialog e.g., window.alert?
> That is the only way I know that you can block a user to click back button.
> Here is a simple page that does this: http://jsbin.com/fuwosaxefa
>
> That behavior is a side-effect of how a browser may decide to implement
> modal dialog which is dependent also on the OS. I tested a few browsers on
> Linux & Mac and this is what I found:
>
> *Mac*
> Firefox, Chrome, Safari: Navigation buttons are usable while modal dialog
> is shown.
> *Linux*
> Chrome: Navigation buttons are block while modal dialog is shown.
> Firefox: Navigation buttons remain usable.
> *Windows*
> 
>
> Perhaps this is worth a non-normative note in the spec in "user-prompt"
> section [1]
>
> [1] https://html.spec.whatwg.org/multipage/webappapis.html#user-prompts
>
> Majid
>
> On Thu, Apr 14, 2016 at 4:38 AM Delfi Ramirez 
> wrote:
>
> > Agree.
> >
> > May it be done within the History API spec?
> >
> > Just wondering.
> >
> > ---
> >
> > Delfi Ramirez
> >
> > My digital signature [1]
> >
> > +34 633 589231
> >  del...@segonquart.net [2]
> >
> > twitter: delfinramirez
> >
> >  IRC: segonquart Skype: segonquart [3]
> >
> > http://segonquart.net
> >
> > http://delfiramirez.info
> >  [4]
> >
> > On 2016-04-13 21:44, Michael A. Peters wrote:
> >
> > > It needs to be made very clear as a web standard that no JavaScript
> > action can disable UI functions such as the back button.
> > >
> > > A very common abuse is that when pulling the mouse to hit the back
> > button because you are not interested in a page, a hover comes up and
> when
> > the hover comes up, the back button no longer works.
> > >
> > > This is a browser UI issue but it needs to specified that browsers must
> > not disable the back button in response to JavaScript. The web is enough
> of
> > a cesspool as it is.
> >
> >
> > Links:
> > --
> > [1] http://delfiramirez.info/public/dr_public_key.asc
> > [2] mail:%20del...@segonquart.net
> > [3] skype:segonquart
> > [4] http://delfiramirez.info
> >
>

Re: [whatwg] JavaScript Hovers and Back Button

2016-04-14 Thread Majid Valipour 
> A very common abuse is that when pulling the mouse to hit the back
> button because you are not interested in a page, a hover comes up and
> when the hover comes up, the back button no longer works.

Does 'hover' refer to modal dialog e.g., window.alert?
That is the only way I know that you can block a user to click back button.
Here is a simple page that does this: http://jsbin.com/fuwosaxefa

That behavior is a side-effect of how a browser may decide to implement
modal dialog which is dependent also on the OS. I tested a few browsers on
Linux & Mac and this is what I found:

*Mac*
Firefox, Chrome, Safari: Navigation buttons are usable while modal dialog
is shown.
*Linux*
Chrome: Navigation buttons are block while modal dialog is shown.
Firefox: Navigation buttons remain usable.
*Windows*


Perhaps this is worth a non-normative note in the spec in "user-prompt"
section [1]

[1] https://html.spec.whatwg.org/multipage/webappapis.html#user-prompts

Majid

On Thu, Apr 14, 2016 at 4:38 AM Delfi Ramirez  wrote:

> Agree.
>
> May it be done within the History API spec?
>
> Just wondering.
>
> ---
>
> Delfi Ramirez
>
> My digital signature [1]
>
> +34 633 589231
>  del...@segonquart.net [2]
>
> twitter: delfinramirez
>
>  IRC: segonquart Skype: segonquart [3]
>
> http://segonquart.net
>
> http://delfiramirez.info
>  [4]
>
> On 2016-04-13 21:44, Michael A. Peters wrote:
>
> > It needs to be made very clear as a web standard that no JavaScript
> action can disable UI functions such as the back button.
> >
> > A very common abuse is that when pulling the mouse to hit the back
> button because you are not interested in a page, a hover comes up and when
> the hover comes up, the back button no longer works.
> >
> > This is a browser UI issue but it needs to specified that browsers must
> not disable the back button in response to JavaScript. The web is enough of
> a cesspool as it is.
>
>
> Links:
> --
> [1] http://delfiramirez.info/public/dr_public_key.asc
> [2] mail:%20del...@segonquart.net
> [3] skype:segonquart
> [4] http://delfiramirez.info
>

Re: [whatwg] JavaScript Hovers and Back Button

2016-04-14 Thread Delfi Ramirez 
Agree.  

May it be done within the History API spec?  

Just wondering.

---

Delfi Ramirez

My digital signature [1]

+34 633 589231
 del...@segonquart.net [2] 

twitter: delfinramirez

 IRC: segonquart Skype: segonquart [3]

http://segonquart.net

http://delfiramirez.info
 [4]

On 2016-04-13 21:44, Michael A. Peters wrote:

> It needs to be made very clear as a web standard that no JavaScript action 
> can disable UI functions such as the back button.
> 
> A very common abuse is that when pulling the mouse to hit the back button 
> because you are not interested in a page, a hover comes up and when the hover 
> comes up, the back button no longer works.
> 
> This is a browser UI issue but it needs to specified that browsers must not 
> disable the back button in response to JavaScript. The web is enough of a 
> cesspool as it is.
 

Links:
--
[1] http://delfiramirez.info/public/dr_public_key.asc
[2] mail:%20del...@segonquart.net
[3] skype:segonquart
[4] http://delfiramirez.info

Re: [whatwg] JavaScript Hovers and Back Button

2016-04-13 Thread Michael A. Peters 
Last one I found is already taken down (I always report it to the ISP - 
often Amazon cloud)


What it does is make loud buzzing noises while flashing a message that 
your computer has been infected with a virus and you must call microsoft 
support immediately.


Only thing that works is closing the tab or quitting the browser.



On 04/13/2016 12:54 PM, Jonathan Zuckerman wrote:

I have heard of a lot of abuses but never actually come across this
particular one, can you point us to a site that demonstrates it?

On Wed, Apr 13, 2016 at 3:53 PM, Michael A. Peters 
wrote:


This btw is a security issue. Many of the scam sites that do things like
tell the user their computer is infected and they have to call a number
disable the ability to use the back button via JavaScript hovers.

This puts users who don't understand technology into a mental state where
they feel like they have no control.

It's effing stupid that anyone ever thought it was a good idea to let
JavaScript disable the standard browser controls. As browsers have done
that, it needs to be specified that JavaScript can't do that.


On 04/13/2016 12:44 PM, Michael A. Peters wrote:


It needs to be made very clear as a web standard that no JavaScript
action can disable UI functions such as the back button.

A very common abuse is that when pulling the mouse to hit the back
button because you are not interested in a page, a hover comes up and
when the hover comes up, the back button no longer works.

This is a browser UI issue but it needs to specified that browsers must
not disable the back button in response to JavaScript. The web is enough
of a cesspool as it is.

Re: [whatwg] JavaScript Hovers and Back Button

2016-04-13 Thread Jonathan Zuckerman 
I have heard of a lot of abuses but never actually come across this
particular one, can you point us to a site that demonstrates it?

On Wed, Apr 13, 2016 at 3:53 PM, Michael A. Peters 
wrote:

> This btw is a security issue. Many of the scam sites that do things like
> tell the user their computer is infected and they have to call a number
> disable the ability to use the back button via JavaScript hovers.
>
> This puts users who don't understand technology into a mental state where
> they feel like they have no control.
>
> It's effing stupid that anyone ever thought it was a good idea to let
> JavaScript disable the standard browser controls. As browsers have done
> that, it needs to be specified that JavaScript can't do that.
>
>
> On 04/13/2016 12:44 PM, Michael A. Peters wrote:
>
>> It needs to be made very clear as a web standard that no JavaScript
>> action can disable UI functions such as the back button.
>>
>> A very common abuse is that when pulling the mouse to hit the back
>> button because you are not interested in a page, a hover comes up and
>> when the hover comes up, the back button no longer works.
>>
>> This is a browser UI issue but it needs to specified that browsers must
>> not disable the back button in response to JavaScript. The web is enough
>> of a cesspool as it is.
>>
>

Re: [whatwg] JavaScript Hovers and Back Button

2016-04-13 Thread Michael A. Peters 
This btw is a security issue. Many of the scam sites that do things like 
tell the user their computer is infected and they have to call a number 
disable the ability to use the back button via JavaScript hovers.


This puts users who don't understand technology into a mental state 
where they feel like they have no control.


It's effing stupid that anyone ever thought it was a good idea to let 
JavaScript disable the standard browser controls. As browsers have done 
that, it needs to be specified that JavaScript can't do that.


On 04/13/2016 12:44 PM, Michael A. Peters wrote:

It needs to be made very clear as a web standard that no JavaScript
action can disable UI functions such as the back button.

A very common abuse is that when pulling the mouse to hit the back
button because you are not interested in a page, a hover comes up and
when the hover comes up, the back button no longer works.

This is a browser UI issue but it needs to specified that browsers must
not disable the back button in response to JavaScript. The web is enough
of a cesspool as it is.