On 2014-01-07 6:39 AM, matteosistise...@gmail.com wrote:
On https://bugzilla.mozilla.org/show_bug.cgi?id=641509 in the
comments I can't see any valid argument that backs up the decision to
not fix the issue. At least none that would stand to the objection
which I posted as a comment:
Having a standard message always displayed is ok, but what's the
reasoning behind not allowing to _add_ a custom text?!?!?!?
[Note to list: I think this is an honest question which deserves a
straight answer, and although I suspect the answer I'm about to give is
somewhere in Bugzilla, I can't blame the poster for overlooking it in a
giant bug thread full of shouting.]
I am not the person who made this decision, but I agree with it, and
this is why. If we allow the page to customize the onbeforeunload
confirmation box _at all_, a malicious page can - just with clever
wording - confuse the user into misunderstanding the standard message.
The standard message we have right now is pretty hard to misunderstand,
but we have actually seen things like "IF YOU PRESS "LEAVE PAGE" YOUR
COMPUTER WILL CRASH!!!!one!" in the wild, and we have support tickets
saying people were actually scared by that sort of thing.
It's also conceivable that a malicious page could use Unicode trickery
to render the standard message unreadable; we *might* be able to prevent
that, but we would never be sure we had gotten every single way.
zw
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
