An interesting question has been posed on the 404 Tech Support forums asking about those pop-up dialogs you might receive every once in a while that start with “Are you sure you want to navigate away from this page?”. The question also asks, “Are there any dangers related to this? Will it install malware? Is there a way to block it automatically?” These are very good questions that we should all be pondering for security reasons. Let me share with you what my experience and research can tell about these somewhat intruisive, but potentially very helpful dialog boxes.
I encounter these messages daily for many legitimate reasons. Here are a few of those cases:
- WordPress – 404 Tech Support is powered by WordPress. If I am writing up a new post and forget to save but try to go somewhere else in that tab, I’ll see the message with “The changes you made will be lost if you navigate away from this page.” After you save the post, you can navigate away without seeing this message.
- Gmail – Every once in a while I can catch Gmail showing this message if an e-mail hasn’t been sent or auto-saved or it’s doing something that’s taking a while. Usually a little status message will be shown at the top of Gmail, but you’ll see this message if you try to navigate away with “Your message has not been sent.”
- Google Docs – Google Docs auto-saves very frequently so it’s hard to catch it when there have been unsaved changes to the document. If you do, you’ll see this message with “You have unsaved changes in this document. Click Cancel now, then ‘Save’ to save them. Click OK now to discard them.”.
- Ad sites – I used to be a member of an e-mail ad service. They’d e-mail you a link, you click on it, and it takes you to an advertising partner’s website. For each e-mail you would earn anywhere between 1 to 5 cents. In the last few months that I was apart of it, a lot of these sites, started implementing this message to make it difficult for you to leave the page and stay on the site longer. This was one of the reasons I cashed out and unsubscribed from this service.
Understanding It
The source of this message is a Javascript function, called OnBeforeUnload(). All it takes to show this message on a page is a script in between the Head tags of an HTML file that calls Window.OnBeforeUnload (or many other ways of applying the attribute to the elements of webpage). The function sets the first line, last line, and the operation of the OK and Cancel buttons. The middle line can be customized. The overall message can appear differently in browsers besides Firefox:
The exact message states in Firefox:
Are you sure you want to navigate away from this page?
Any string value… (This line can change per site/page.)
Press OK to continue, or Cancel to stay on the current page.
Internet Explorer:
Google Chrome:
Safari:
Opera does not recognize the OnBeforeUnload event in Javascript and just allows navigation to continue without prompting.
The OK button allows the unload operation to continue while the Cancel button aborts it. These buttons are fixed by the function and by themselves wouldn’t be usable for a malicious payload to be delivered. If you went to a favorite or bookmark, closed the tab/window, or clicked a (safe) link, you can pretty safely rely that clicking OK won’t put your computer in risk of any harm. However, that doesn’t mean that a dialog box couldn’t be crafted through other Javascript means to look exactly like the normal dialog (probably with typos though) and the OK button might redirect you to a malicious site, but this would have to be triggered manually instead of with the OnBeforeUnload event. A link that said ‘Close this window’ could possibly be configured to be a malware redirect through a pop-up like this, but if you are able to social-engineer people into clicking the link, it would just be easier to direct that click to a malicious site directly. You can learn more about the specifics of the OnBeforeUnload function from its MSDN article.
I took the example code used in that article and created a simple page with it so you can see it in action and view the source to see how simple it is. You can find it here: http://www.404techsupport.com/blog/script.html
Preventing It
Now that we understand where these windows are coming from and that they should be relatively safe, they can still be annoying. How can we prevent them from showing up? The only way to really filter out only this Javascript function is to use Opera as your browser as a result of their not supporting the event. The way to prevent these messages in Firefox is the same as preventing any other Javascript from executing, use one of these add-ons:
NoScript – NoScript denies all Javascript unless you specifically white-list a website to allow it.
YesScript – YesScript allows all Javascript unless you specifically black-list a website to deny it.
The two philosophical approaches all you to choose which extension matches your browsing style. NoScript might certainly be safer, but YesScript would probably be a less annoying transition. Either one of these extensions could be installed in Firefox and then give you control over blocking sites that use these messages from being able to run Javascript.
Conclusion
It is very interesting to find that many people assume this message is malicious even though in most cases it is implemented with the intent to be helpful. Whether it’s trying to prevent you from losing unsaved work or just keep you on an advertisement site a little longer, it should be safe to click Ok to continue on to your normal navigation. Of course, you can use extensions in Firefox to allow blocking Javascript and prevent yourself from having to see these screens.
Do you know of any IE security setting that can disable this?
You can go into Tools, Options and under the Security settings disable all Javascript. It’s unfortunately a blanket setting and can’t specifically disable this function.
Firefox gives you some more options thanks to the previously mentioned addons and Chrome has introduced some native features to make these type of alerts limited and less annoying.
can we be honest here please. Those of us who are getting these script messages are surfing porn sites and TGP’s . The only down side of adding the firefox add on is if you do you no longer can watch movies your surfing for
So what we need is to stop those messages and still be able to watch flash movies . Or is that asking the improbable and this is the price one pays ?
Not always the case but good news on this topic: Firefox and Chrome, in their recent versions, will allow you to check a box on the pop-up to not show any more pop-ups from this domain once it starts repeating. Therefore, no extras should be needed at that time.
These messages happen lots of times on spammy pop-ups and sometimes serve useful functions to prevent accidental closure of a tab/window.
Since Google spys on users why would I want to use Chrome?
Interesting comments all, but I see three remaining troubles that need shooting. (1) Yes, it is easy to design a fake dialog box with buttons that direct you to malware. I don’t see what “conditioning” has to do with it. That’s like blaming people who are “conditioned” to eat for injesting poisoned food. (2) I agree with the original premise that it’s ridiculous to block all pop-ups or hard-reboot your computer to sidestep dealing with this problem. (3) I am also sick of webprudes who seem to applaud viruses and malware as fit punishment — some kind literal “deux ex machina” — for people who seek adult material. (4) Comment: I also dislike “experts”, particularly those who work for a company whose product is creating the problem, who only address a trival or special-case aspect of the presented problem, or kick the can down the road pending “fixes” or “updates.”
Oh yes — sorry to go on, but please avoid posting Circular Unreasoning replies, which answer any problem about a normally helpful function becoming harmful when misused by saying that it’s true that the function may become harmful when misused but it is normally helpful. Wow! REALLY?? That — is NOT helpful. (Apologies for CAPS and “scarequotes,” I’m trying to be judicious. All the best to you all…
Most things designed to be helpful are malicious. I get this message when I click on a comment section on a webpage and then decide not to write anything. That’s my choice, and I’m tired of Firefox behaving like a Microsoft product and questioning my actions. It should shut up and obey.
“It is very interesting to find that many people assume this message is malicious…”
This is not an assumption on their part, it is a statement! After spending thousands on a computer, we expect that pressing the Back button, or going to a bookmark. or closing a tab, or closing the browser will DO AS WE INSTRUCTED. This dialog interrupts the commands we have given, making us, the owners and would-be controllers of these computers, jump through some hoop, instigated by some egomaniac web page creator, in to get our computers to do what we asked.
It’s unpleasant, unnecessary in the vast, vast majority of cases, and if it is not intentionally malicious, then it is at least terribly inconsiderate. Either way, in all but a tiny minority of cases, the users are suffering. We don’t assume we suffer, we express that we do!
And disabling JavaScript entirely, to defend against this one unreasonably intrusive feature, is just nuts! Use of client-side scripting continues to accelerate, especially with the advent of HTML5. Without it, good lucking using the ‘Web.
Sometimes the answer is just “No.” But if it’s causing people grief, let’s not be dismissive, but try to find a way to fix the underlying problem – in this case the mentality of browser creators who think web pages should be able to control our computers.
Thanks for your whole hard work on this website. Kim take interest in setting aside time for investigation and it’s easy to understand why. We hear all relating to the lively means you give both interesting and useful guides via the web blog and in addition recommend contribution from other individuals on that area and our favorite girl is always learning a whole lot. Enjoy the rest of the year. You’re conducting a good job.