Re: [greasemonkey-dev] Disabling destructive JS on pages
Johan Sundström
does not belong on gm-dev, which is about the development of
Greasemonkey itself, not scripts per se.
On Jan 13, 2008 3:45 PM, Pász Gergely <past...@gmail.com> wrote:
> Hello everybody,
>
> Lately I've encountered a few page where javascript was used to trap the
> visitor on the page, by catching the "onBeforeUnload" event and
> returning false or going into an infinite loop of alert()-s, thus never
> allowing the window/tab to close. Similar effect was achieved on a few
> other sites by capturing the window.onclick() event.
>
> Then I tried to make a GM script that somehow removes these event
> handlers/listeners, but I haven't succeeded. My question is, that can
> this be done? In DOM 3 there'll be a listEventListeners, but that's the
> future :)
>
> Or can a GM script somehow accomplish this?
An idea that might be worth trying is to register an event handler of
your own which blocks the event from being passed on to other event
handlers, but IIRC the DOM specs don't guarantee any order of
invocation, should you and the malicious code listen in at the same
node.
Something like document.addEventListener("unload",function(e){e.stopPropagation();},
true); might work. (true being especially important)
--
/ Johan Sundström, http://ecmanaut.blogspot.com/
Robert G. Werner
[snip]
> On Jan 13, 2008 3:45 PM, Pász Gergely <past...@gmail.com> wrote:
>> Hello everybody,
>>
>> Lately I've encountered a few page where javascript was used to trap the
>> visitor on the page, by catching the "onBeforeUnload" event and
>> returning false or going into an infinite loop of alert()-s, thus never
>> allowing the window/tab to close. Similar effect was achieved on a few
>> other sites by capturing the window.onclick() event.
>>
>> Then I tried to make a GM script that somehow removes these event
>> handlers/listeners, but I haven't succeeded. My question is, that can
>> this be done? In DOM 3 there'll be a listEventListeners, but that's the
>> future :)
>>
>> Or can a GM script somehow accomplish this?
>
> An idea that might be worth trying is to register an event handler of
> your own which blocks the event from being passed on to other event
> handlers, but IIRC the DOM specs don't guarantee any order of
> invocation, should you and the malicious code listen in at the same
> node.
>
> Something like document.addEventListener("unload",function(e){e.stopPropagation();},
> true); might work. (true being especially important)
>
privacy settings of firefox is with settings in say user.js such as:
//Turn off the window open function
//user_pref("capability.policy.default.Window.open", "noAccess");
user_pref("dom.disable_open_during_load", true);
user_pref("dom.disable_open_click_delay", 1000);
//Some strict restrictions to annoying websites.
user_pref("capability.policy.policynames", "strict");
user_pref("capability.policy.strict.sites", "http://www.nytimes.com/");
user_pref("capability.policy.strict.Window.alert", "noAccess");
These are some things I have in mine. I believe you should be able to
block access to onBeforeUnload with this.
--
In Reach Technology: http://www.inreachtech.net/
Robert G. Werner
rob...@inreachtech.net
Tel: 559.304.5122
<Knghtbrd> Feanor - license issues are important. If we don't watch our
arses now, someone's gonna come up and bite us later...
esquifit
user_pref("dom.disable_open_during_load", true)
really prevents spawning new windows during both load *and unload*
events, and even if triggered from a setTimeout/setInterval call.
In addition, I would also include
user_pref("capability.policy.strict.Window.foo", "noAccess");
where 'foo' is the handler of the onBeforeUnload event, should it not
be an anonymous function.
Please take a look at the following in case you are not acquainted
with this feature.
[1] http://www.mozilla.org/projects/security/components/ConfigPolicy.html
[2] http://kb.mozillazine.org/Security_Policies