| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by adrian_b 27 days ago

For me the fact that dickovers are possible is a bug in all JavaScript interpreters.

In my opinion, any decent browser should make impossible both dickovers and also other related hostile actions, like the possibility for a Web page to modify the right-click menu or to prevent text selection.

Unfortunately completely disabling scripts is rarely a solution, because many sites do not work at all. But the kind of actions mentioned above never serve a useful purpose for the user, so they should be ineffective and their should be no way for the hostile site to determine whether they work or no.

Modal windows may sometimes be useful in applications that are controlled by myself, but it should always be possible to override them in externally-controlled applications, like when browsing Internet sites.

2 comments

watusername 27 days ago

CSS is what allows dickovers to work, not JS, and pure-CSS dickovers are possible [0] :P

[0]: https://hunzaboy.github.io/Light-Modal

mikepurvis 27 days ago

Genuine question, what is it that the JS implementation or DOM or anything the in the browser can do to permit desired modal popover content like dropdown menus and tooltips and floating nav bars while somehow preventing dickovers?

adrian_b 27 days ago

Like I have said, in a browser there should not exist truly modal windows.

The cases when modal windows are used abusively are far more numerous than the cases when they are useful.

Perhaps there should be a way to warn the user when moving the focus from a window that is supposed to be modal, but if the user insists it should be possible to disregard that a window is intended to be modal.

Also, it should be possible for the user to move any window as desired. It should not have been possible for windows to move on their own and to prevent the user from moving them. A script should also not be able to move the mouse cursor or any other kind of cursor.

A browser must always treat a script as potentially hostile, so all these facilities that can be used by a script to mess with the browser GUI should never have existed.