Mozilla bug #377496

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2852
Joined: 2012-06-28, 01:20

Mozilla bug #377496

Unread post by ron_1 » 2018-12-13, 02:06

I just read this article here about an 11 year old bug that Mozilla has not fixed so far. Is this bug present in Pale Moon (and Basilisk)?

User avatar
athenian200
Contributing developer
Contributing developer
Posts: 1498
Joined: 2018-10-28, 19:56
Location: Georgia

Re: Mozilla bug #377496

Unread post by athenian200 » 2018-12-13, 04:00

I don't know if you could really call it a "bug," because the authentication dialogues are working as intended, but the intended behavior is being exploited by unscrupulous website creators to trap you in an endless loop. This would be more of an instance of altering functionality to prevent the browser equivalent of "griefing" in a video game.

Whenever that situation happens to me (which is rare these days), I just position the authentication thing so that the X to close the dialog box is right over the X that closes the tab, and try to click as fast as I can. Eventually you can hit the X in the split second before another authentication prompt comes up, and that way you don't have to kill the browser in task manager. I have a lot of practice doing that, but most don't have the patience. I've been doing it for about 6 years now, though I did notice it started getting easier in Edge because they got more forgiving with the timing between new "login prompt" dialogue boxes.

I think the best solution to this would just be to add a timeout after the user dismisses that type of login prompt, so that any further requests by the site to display such a login prompt are ignored for 5-10 seconds, giving you time to close the offending tab.
Last edited by athenian200 on 2018-12-13, 06:16, edited 1 time in total.
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Mozilla bug #377496

Unread post by Moonchild » 2018-12-13, 08:09

It's just one of many ways that malicious sites can trap a visitor (so-called "evil traps") and causing denial of service to the user. The issue is that the authentication dialog box is window-modal and therefore blocks interaction with the rest of the window while it is up.
It's nothing new, and these malicious sites tend to be relatively short-lived because they cause a flood of complaints to hosters.

There is no simple solution to this because HTTP basic auth is a network level prompt and the dialog can't be made content-modal (because then basic auth pages in frames would no longer work, for example).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
athenian200
Contributing developer
Contributing developer
Posts: 1498
Joined: 2018-10-28, 19:56
Location: Georgia

Re: Mozilla bug #377496

Unread post by athenian200 » 2018-12-15, 14:06

This might seem like a weird idea, but what if there was a button INSIDE the dialog box that allowed you to just close the tab?

Right now, the dialog box consists of a user name field, a password field, an OK button, and a Cancel button. It might be possible to add in a third button that says something like "Close this Tab" or "Kill this Tab." It might seem strange or illogical at first glance from a UX perspective to have it there, given that closing tabs has nothing to do with authenticating users, but I think given how ubiquitous this problem actually is, no one would really question why the option was there.

The benefit of this solution is that it doesn't involve figuring out how to change the way the dialog box works fundamentally, or figure out how to add any timers to slow down the respawning of the authentication box created by nasty JavaScript on the web page. It just goes around the problem by adding an option to close the offending tab to the inside of the dialog box where we can actually click on it, dismissing both the authentication box and the tab that created it with a single click.
Last edited by athenian200 on 2018-12-15, 14:07, edited 1 time in total.
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind

Locked