Ask 404TS: What’s up with “Are you sure you want to navigate away from this page?” dialogs?

An interesting question has been posed on the 404 Tech Support forums asking about those pop-up dialogs you might receive every once in a while that start with “Are you sure you want to navigate away from this page?”. The question also asks, “Are there any dangers related to this? Will it install malware? Is there a way to block it automatically?” These are very good questions that we should all be pondering for security reasons. Let me share with you what my experience and research can tell about these somewhat intruisive, but potentially very helpful dialog boxes.

I encounter these messages daily for many legitimate reasons. Here are a few of those cases:

• WordPress – 404 Tech Support is powered by WordPress. If I am writing up a new post and forget to save but try to go somewhere else in that tab, I’ll see the message with “The changes you made will be lost if you navigate away from this page.” After you save the post, you can navigate away without seeing this message.
  
• Gmail – Every once in a while I can catch Gmail showing this message if an e-mail hasn’t been sent or auto-saved or it’s doing something that’s taking a while. Usually a little status message will be shown at the top of Gmail, but you’ll see this message if you try to navigate away with “Your message has not been sent.”
  
• Google Docs – Google Docs auto-saves very frequently so it’s hard to catch it when there have been unsaved changes to the document. If you do, you’ll see this message with “You have unsaved changes in this document. Click Cancel now, then ‘Save’ to save them. Click OK now to discard them.”.
  
• Ad sites – I used to be a member of an e-mail ad service. They’d e-mail you a link, you click on it, and it takes you to an advertising partner’s website. For each e-mail you would earn anywhere between 1 to 5 cents. In the last few months that I was apart of it, a lot of these sites, started implementing this message to make it difficult for you to leave the page and stay on the site longer. This was one of the reasons I cashed out and unsubscribed from this service.

Understanding It

The source of this message is a Javascript function, called OnBeforeUnload(). All it takes to show this message on a page is a script in between the Head tags of an HTML file that calls Window.OnBeforeUnload (or many other ways of applying the attribute to the elements of webpage). The function sets the first line, last line, and the operation of the OK and Cancel buttons. The middle line can be customized. The overall message can appear differently in browsers besides Firefox:

The exact message states in Firefox:

Are you sure you want to navigate away from this page?

Any string value… (This line can change per site/page.)

Press OK to continue, or Cancel to stay on the current page.

Internet Explorer:

Google Chrome:

Safari:

Opera does not recognize the OnBeforeUnload event in Javascript and just allows navigation to continue without prompting.

The OK button allows the unload operation to continue while the Cancel button aborts it. These buttons are fixed by the function and by themselves wouldn’t be usable for a malicious payload to be delivered. If you went to a favorite or bookmark, closed the tab/window, or clicked a (safe) link, you can pretty safely rely that clicking OK won’t put your computer in risk of any harm. However, that doesn’t mean that a dialog box couldn’t be crafted through other Javascript means to look exactly like the normal dialog (probably with typos though) and the OK button might redirect you to a malicious site, but this would have to be triggered manually instead of with the OnBeforeUnload event. A link that said ‘Close this window’ could possibly be configured to be a malware redirect through a pop-up like this, but if you are able to social-engineer people into clicking the link, it would just be easier to direct that click to a malicious site directly. You can learn more about the specifics of the OnBeforeUnload function from its MSDN article.

I took the example code used in that article and created a simple page with it so you can see it in action and view the source to see how simple it is. You can find it here: http://www.404techsupport.com/blog/script.html

Preventing It

Now that we understand where these windows are coming from and that they should be relatively safe, they can still be annoying. How can we prevent them from showing up? The only way to really filter out only this Javascript function is to use Opera as your browser as a result of their not supporting the event. The way to prevent these messages in Firefox is the same as preventing any other Javascript from executing, use one of these add-ons:

NoScript – NoScript denies all Javascript unless you specifically white-list a website to allow it.

YesScript – YesScript allows all Javascript unless you specifically black-list a website to deny it.

The two philosophical approaches all you to choose which extension matches your browsing style. NoScript might certainly be safer, but YesScript would probably be a less annoying transition. Either one of these extensions could be installed in Firefox and then give you control over blocking sites that use these messages from being able to run Javascript.

Conclusion

It is very interesting to find that many people assume this message is malicious even though in most cases it is implemented with the intent to be helpful. Whether it’s trying to prevent you from losing unsaved work or just keep you on an advertisement site a little longer, it should be safe to click Ok to continue on to your normal navigation. Of course, you can use extensions in Firefox to allow blocking Javascript and prevent yourself from having to see these screens.