Malicious "confirm navigation" dialogs?
Despite what some of these dialogs say, they can't do anything malicious. You can always click OK or Leave Page to close offending page without any consequences.
If the dialog is too long and buttons are off the screen, you can press Enter to confirm closing the page.
If you don't have a keyboard (touchscreen devices), use the bookmarklet below or see SimpleSimon's answer (Chrome only).
Now, some details.
There's only one way to perform some action when a page is closing: through the onbeforeunload
event. Of course this could be easily used against the user (for example when he tries to close a page, it opens its copy in a new window), so it's very limited.
Actually the only reasonable thing you can do is open a dialog with custom text and two buttons, one to leave the page and one to stay. Only thing a page can do with that dialog is define its text. Buttons and titlebar are immutable. Here's a screenshot from Firefox 3.6: (very old version of Firefox)
Of course when you let people show popups with any text and just OK/Cancel buttons, then you can be sure that sooner or later some guys will use it against you.
In the above screenshot OK means just "Leave this page", but the custom description suggests something more. So browsers have changed the dialogs so it's harder to make them misleading. For example recent versions of Firefox seems to ignore the custom text:
Chrome shows the custom text, but always appends a question asking user what does he want to do and the buttons explicitly state their actions: (but it's still prone to the "cat videos" messages!)
Here's Internet Explorer 10, also "cat-prone":
Opera 12 just ignores the onbeforeunload
event and if you try to close a tab like that, it will close just like any other. I haven't tested latest Opera, though.
So, to sum up the most important things:
- Pages cannot show dialogs with any text. Website can ask browser to show a dialog with a custom text, but the browser can ignore it altogether (Opera), use generic text (Firefox) or explicitly say what will happen (Chrome, IE).
- Details of the dialog depend on the browser you're using, but buttons are always immutable. If they won't say explicitly which one does what, then OK means "leave this page* and Cancel is "stay here".
- Websites cannot perform any malicious actions if you decide to leave them. Your files won't be replaced with cat videos, you won't be flooded with 135234 viruses and FBI won't be informed that you have illegal software on your computer.
You can disable onbeforeunload
event if you want to, effectively preventing pages from asking you to leave or stay. Here's a cross-browser userscript. (scroll down if the link is dead)
If you're on a specific website that shows a malicious popup and you're still afraid to click Leave, you can create a bookmarklet to remove it. Right-click your bookmarks bar, choose New bookmark (or equivalent) and paste this as an URL: (it's just minifed code from the above link)
javascript:var x=document.createElement('script');x.type='text/javascript';x.innerHTML='onbeforeunload=function(){};';document.body.appendChild(x);
Then just click that bookmark and the popup will be temporarily removed from the active page.
If you want to test how those popups look in your browser or test the bookmarklet/userscript, create a text file with the following code and save it as a .html
file:
<html><body onbeforeunload="return 'My custom text.'">_</body></html>
It seems that the userscript link is dead right now, so here's a copy extracted from archive.org cache. All credit for the original script creator.
// ==UserScript==
// @name Disable - remove onbeforeunload
// @namespace
// @description Disable - remove the annoying onbeforeunload event
// @include *
// @author netvisiteurs.com
// ==/UserScript==
var x = document.createElement('script');
x.type = 'text/javascript';
x.innerHTML = 'onbeforeunload = function() {};';
document.body.appendChild(x);
Actually, FireFox has a rather nifty (and easy) solution. If you type
about:config
into the address bar, then scroll down to
dom.disable_beforeunload
and set its value to True you will no longer see the Leave Page popups. In FireFox. Too bad there isn't a similar workaround in Chrome.
The simplest solution in Chrome is to crash the tab.
Type chrome://crash into the address bar and save as a bookmark.
Next time you want to leave such a page just click the bookmark and it will kill that tab instantly, without affecting your other tabs. No need to kill the entire browser session as some others have suggested.
Alternatively you can hang the tab using chrome://hang then simply close the tab without any JavaScript running.
Not sure if this is possible in other browsers.