Håkan Waara Reporter
	Description • 16 years ago

Not sure if it's overkill to flag this as security problem, but I'll do it for now and let you guys decide.

Summary: It's easy to bring up a HUGE modal dialog that are many screens high with javascript. 

Unless you know the right key (or if you don't have a keyboard: think accessibility) to use for that particular prompt/alert, they are not closable. On OS X, no close item is available, only stuff like "Quit" and "Preferences".

This means a malicious web author could force users to quit and restart the browser. If the user uses session restore, the same problem might reoccur upon restore, so in the end they will have to throw away all sessions as well, losing a lot of data!

STR:
 1. in javascript:   alert(hugeText);

	Daniel Veditz [:dveditz]
	Comment 1 • 16 years ago

Doesn't the Esc key always close these? And the Return key? And probably the space key?

You're right this could be an issue for keyboardless users, like Fennec running on a touchscreen-only device. The modality of the dialog might interfere with bringing up the on-screen keyboard (hopefully alerts are app-modal not system-modal).

Given the size of these dialogs I'm not sure the proposed solution of adding a "cancel all scripts" checkbox to modal dialogs is a complete solution, so for now I'll leave this as a separate "trap" rather than duping to that bug.

	:Gavin Sharp [email: gavin@gavinsharp.com]
	Comment 2 • 16 years ago

Dupe of bug 115997?

	Mounir Lamouri (:mounir)
	Comment 3 • 13 years ago

This has been fixed with the new alert() system in Firefox 4.