Malicious "confirm navigation" dialogs?

Some sites, like StackExchange, pop up an "Are you sure you want to leave this page?" dialog when you try to leave under certain conditions, such as if you have a post you haven't finished editing. This is helpful!

Unfortunately, malicious or infected sites like to use the same functionality to say, "Hey! You haven't installed our malwareantivirus to address the 111 viruses we're definitely not lying about finding on your computer!", and the "Leave this page" and "Stay on this page" options are replaced by something like "Be safe. Install our product" and "Shoot yourself in the foot". This is unhelpful!

Javascript can do some nasty stuff. When I get one of those dialogs trying to keep me from leaving a clearly-malicious site, what should my response be? Is it safe to click "Leave this page" or whatever they replaced the text with? Could a site change the behavior of the button, or intercept my attempt to navigate away and draw its own fake dialog that does whatever an attacker wants when I click on it?


Solution 1:

Despite what some of these dialogs say, they can't do anything malicious. You can always click OK or Leave Page to close offending page without any consequences.

If the dialog is too long and buttons are off the screen, you can press Enter to confirm closing the page.

If you don't have a keyboard (touchscreen devices), use the bookmarklet below or see SimpleSimon's answer (Chrome only).


Now, some details.

There's only one way to perform some action when a page is closing: through the onbeforeunload event. Of course this could be easily used against the user (for example when he tries to close a page, it opens its copy in a new window), so it's very limited.

Actually the only reasonable thing you can do is open a dialog with custom text and two buttons, one to leave the page and one to stay. Only thing a page can do with that dialog is define its text. Buttons and titlebar are immutable. Here's a screenshot from Firefox 3.6: (very old version of Firefox)

Screenshot from Firefox 3.6

Of course when you let people show popups with any text and just OK/Cancel buttons, then you can be sure that sooner or later some guys will use it against you.

Screenshot of a malicious windows from Firefox 3.6

In the above screenshot OK means just "Leave this page", but the custom description suggests something more. So browsers have changed the dialogs so it's harder to make them misleading. For example recent versions of Firefox seems to ignore the custom text:

Screenshot from Firefox 23

Chrome shows the custom text, but always appends a question asking user what does he want to do and the buttons explicitly state their actions: (but it's still prone to the "cat videos" messages!)

Screenshot from Chrome 29

Here's Internet Explorer 10, also "cat-prone":

Screenshot from IE 10

Opera 12 just ignores the onbeforeunload event and if you try to close a tab like that, it will close just like any other. I haven't tested latest Opera, though.

So, to sum up the most important things:

  • Pages cannot show dialogs with any text. Website can ask browser to show a dialog with a custom text, but the browser can ignore it altogether (Opera), use generic text (Firefox) or explicitly say what will happen (Chrome, IE).
  • Details of the dialog depend on the browser you're using, but buttons are always immutable. If they won't say explicitly which one does what, then OK means "leave this page* and Cancel is "stay here".
  • Websites cannot perform any malicious actions if you decide to leave them. Your files won't be replaced with cat videos, you won't be flooded with 135234 viruses and FBI won't be informed that you have illegal software on your computer.

You can disable onbeforeunload event if you want to, effectively preventing pages from asking you to leave or stay. Here's a cross-browser userscript. (scroll down if the link is dead)

If you're on a specific website that shows a malicious popup and you're still afraid to click Leave, you can create a bookmarklet to remove it. Right-click your bookmarks bar, choose New bookmark (or equivalent) and paste this as an URL: (it's just minifed code from the above link)

javascript:var x=document.createElement('script');x.type='text/javascript';x.innerHTML='onbeforeunload=function(){};';document.body.appendChild(x);

Then just click that bookmark and the popup will be temporarily removed from the active page.

If you want to test how those popups look in your browser or test the bookmarklet/userscript, create a text file with the following code and save it as a .html file:

<html><body onbeforeunload="return 'My custom text.'">_</body></html>

It seems that the userscript link is dead right now, so here's a copy extracted from archive.org cache. All credit for the original script creator.

// ==UserScript==
// @name           Disable - remove onbeforeunload
// @namespace      
// @description    Disable - remove the annoying onbeforeunload event
// @include        *
// @author         netvisiteurs.com
// ==/UserScript==

var x = document.createElement('script');
x.type = 'text/javascript';
x.innerHTML = 'onbeforeunload = function() {};';
document.body.appendChild(x);

Solution 2:

Actually, FireFox has a rather nifty (and easy) solution. If you type

about:config

into the address bar, then scroll down to

dom.disable_beforeunload

and set its value to True you will no longer see the Leave Page popups. In FireFox. Too bad there isn't a similar workaround in Chrome.

Solution 3:

The simplest solution in Chrome is to crash the tab.

Type chrome://crash into the address bar and save as a bookmark.

Next time you want to leave such a page just click the bookmark and it will kill that tab instantly, without affecting your other tabs. No need to kill the entire browser session as some others have suggested.

Alternatively you can hang the tab using chrome://hang then simply close the tab without any JavaScript running.

Not sure if this is possible in other browsers.

Solution 4:

This is the window.onbeforeunload event and a feature of the web browser. So this should be a fixed dialog of the web browser. You can try in different browsers and so you can see, the dialogs are in different designs.

But I assume, you could develop a popup with javascript, which looks like very very similar to the original popup of the browser's one. And if it is a good developer, he would also check browser type before showing the dialog. ;)

So to be very sure about an original dialog, you should cross-check in parallel the correct dialog, i.e. here: http://samples.msdn.microsoft.com/workshop/samples/author/dhtml/refs/onbeforeunload.htm

See here for further information about the event:
https://developer.mozilla.org/en-US/docs/Web/API/window.onbeforeunload
http://msdn.microsoft.com/en-us/library/ms536907%28VS.85%29.aspx