Window.close and Explorer 7 problem!

[Dr J R Stockton]

In comp.lang.javascript message <[email protected]>,

That's true. The problem is you feel a need to try to remove my
toolbars without my consent.

The default assumption in this newsgroup is that questions relate to WWW
pages, primarily written for outsiders to use.

But it is rude to presume that an assumption is necessarily correct.

Some pages are Intranet pages where control of usage may be appropriate.

Some pages, while WWW-accessible, are intended only for usage by a
closed group.

And at least one page has been written entirely to suit the author's
convenience, but put on the Web so that others may copy and adapt it.

It's a good idea to read the newsgroup and its old FAQ. See below.

 

[Randy Webb]

Dr J R Stockton said the following on 11/22/2006 9:44 AM:

In comp.lang.javascript message <[email protected]>,


The default assumption in this newsgroup is that questions relate to WWW
pages, primarily written for outsiders to use.

And nobody said any different.

But it is rude to presume that an assumption is necessarily correct.

And to say my assumption is incorrect is rude as well.

Some pages are Intranet pages where control of usage may be appropriate.

Which is irrelevant to the question.

Some pages, while WWW-accessible, are intended only for usage by a
closed group.

Which is irrelevant to the question.

And at least one page has been written entirely to suit the author's
convenience, but put on the Web so that others may copy and adapt it.

Which is irrelevant to the question.

 

[Andrew Poulos]

Andrew Poulos wrote:
Randy Webb wrote:

Again I don't follow. How can a script that closes a window be
malicious?

Any script of any sort from anyone other than me that buggers about
with my windows and my programmes and my running software is *by
definition* malicious because it is doing things I did not ask it to do.

[snip]
I believe there are lots of real-life situations where scripts
manipulating (even closing) windows are not only acceptable but
desirable. If you cannot provide an example where a script closing a
window causes something malicious to happen then so be it.

There are *no* situations where anyone other than me has any right to
do *anything* I did not authorise. I challenge you to provide even
one. I can certainly provide many where it is malicious since the very
definition of something doing an unauthorised thing to my PC is that
it is malicious.

Do you mean that if something behaves outside the relative narrow range
of what you believe you ought to have total control over then that
constitutes something necessarily evil in intent? [So if closing windows
was outside your range then, by magic, it would no longer be malicious.]

As for your challenge how do you discount the posters that regularly ask
in this newsgroup about closing a window with script? Do you believe
that none of them could possibly have a valid real-life situation?


Andrew Poulos

 

[Andrew Poulos]

Dr J R Stockton said the following on 11/22/2006 9:44 AM:

And nobody said any different.


And to say my assumption is incorrect is rude as well.

He didn't say your assumption was incorrect but that your automatic
presumption of correctness might be.

Which is irrelevant to the question.

No it's not. Are you saying that every page in the world should behave
the way you think it should even though you are not part of the intended
audience and nor will you even ever be in a position to view the page?

Which is irrelevant to the question.

No it's not. Are you saying that every page in the world should behave
the way you think it should even though you are not part of the intended
audience?

Which is irrelevant to the question.

No it's not. Are you saying that every page in the world should behave
the way you think it should even though you are not part of the intended
audience?

To go sideways a bit, popup blockers are considered good but when you
get your 100th phone call in a week where a user can't access the
e-learning course they are required to do because they don't realise
that the popup blocker is preventing the LMS from launching the course
then your opinion of popup blockers gets tempered a bit.

Andrew Poulos

 

[The Magpie]

Do you mean that if something behaves outside the relative narrow range
of what you believe you ought to have total control over then that
constitutes something necessarily evil in intent? [So if closing windows
was outside your range then, by magic, it would no longer be malicious.]

I mean - and I presumed that I had made it perfectly clear - that the
PC is mine, the software it runs is mine and the effects of that
software are either within the bounds of what I have agreed for it to
do or - by definition - they are not appropriate. Should such software
in any circumstance interfere with what *is* appropriate to my needs
then it is by definition malicious.

As for your challenge how do you discount the posters that regularly ask
in this newsgroup about closing a window with script? Do you believe
that none of them could possibly have a valid real-life situation?

When people *open* a window in their code, then their code is
*expected* to close them again when the window is finished. That is
quite different from your request.

 

[Andrew Poulos]

Do you mean that if something behaves outside the relative narrow range
of what you believe you ought to have total control over then that
constitutes something necessarily evil in intent? [So if closing windows
was outside your range then, by magic, it would no longer be malicious.]

I mean - and I presumed that I had made it perfectly clear - that the

Are you arguing just for the sake of it?

PC is mine, the software it runs is mine and the effects of that

My guess is that you don't actually own any software. You most likely
have a license to use it - that's all.

software are either within the bounds of what I have agreed for it to
do or - by definition - they are not appropriate. Should such software

So when did MS, MZ or any other browser vendor ask you for permission to
add/remove any software feature whatsoever?

in any circumstance interfere with what *is* appropriate to my needs

So you would also consider any bugs you encountered malicious?

then it is by definition malicious.

Malicious means to be characterised by malice. And malice means that
someone must have the desire to cause injury or a desire to act
wickedly. Closing a window with a script generally is neither and, in
fact, is often desirable (if it a required part of a software spec.)

Just because you don't like something doesn't automatically make it
malicious.

When people *open* a window in their code, then their code is
*expected* to close them again when the window is finished. That is
quite different from your request.

Do you believe that no one could possibly ever have a valid real-life
situation?

Andrew Poulos

 

[Richard Cornford]

"I closed the browser and it lost my data. How dare it.
I didn't tell it to lose my data. I choose to close the
browser window but the browser lost my data anyway."

What relevance is that?

My copy of Word prompts me to save unsaved data why
doesn't a browser behave itself.

Are you saying that a browser should unconditionally prompt the user for
confirmation whenever a script attempts to close a window that was not
opened with a script?

Just because you disagree doesn't mean that you represent
a consensus opinion.

Consensus is not relevant when the question is whether or not to take
action that will directly result in the property of others.

Yes, if those plants were in your house and were poisonous
and you had a young child who was close to learn to walk.

Using herbicides inside a building where small children reside is a
guaranteed way of having to deal with a mother in a state somewhere
between extreme anger and hysteria (a situation where any attempt to
present a justification for that action can only make the situation
worse).

However, can a case be presented which would paint the user's recent
browsing history as in any way hazardous or harmful to that user?

Since when is a google search generally considered a URL?

A page of search results are certainly an item that a user may desire to
return to using their back button. You were the one who proposed using
bookmaking as an alternative mechanism for the back button (and so
making the act of destroying the user's recent browsing history
justified (in some sense). Search results can be bookmarker, but most
would not want to keep them around for longer than one browser session.

To show me that it was evil.

Do I take it that you do not see it as wrong to destroy other people's
property, or that it is no justification to assert that you would have
no purpose for property if it was yours.

Anyhow, I didn't think you could give an
example of an evil use of a script closing a window.

If you don't see destroying the property of other's as morally suspect
then you may never perceive an issue following from any scripted action.

In the same manner just because you think of windows closed
by scripts as being evil doesn't mean everyone should.

I did not say it was evil (and I was not asked to, as you asked for an
example of something that was "malicious" not evil). I happen to think
that it is wrong to destroy other people's property, and I to live in a
country where that position is broadly inline with criminal law
(suggesting that is it a position that is seen as appropriate by
society).

The only data anyone has mentioned is *temporary* data which,
if you don't make a record of, will always be lost when the
browser closes.

The eventual fate of that data is not relevant. The act of destroying it
prevents it from being used in the period between when it is destroyed
and when the user closing their browser would destroy it. That is
precisely the period when the user would use it.

Yes, it could well be an annoyance but certainly not evil.

It may not be evil (it certainly is not comparable to genocide) but
knowingly destroying other people's property without any regard for
their wishes, or the use they may have for that property (or what value
they may place in it), is pretty much definitively malicious.

Richard.

 

[Andrew Poulos]

Richard Cornford wrote:

It may not be evil (it certainly is not comparable to genocide) but
knowingly destroying other people's property without any regard for
their wishes, or the use they may have for that property (or what value
they may place in it), is pretty much definitively malicious.

If I put a *big* button in a window with the improbable label

"Click me to close this window. Note that when the window closes you
will lose any and all temporary browser history. Please refer to this
browser's help file, or google for it, to find out more about temporary
browser history before you click this button."

and when clicked it called a script that actually caused the window to
close then all of a sudden the user knows what is going to happen and
all your arguments against scripts closing windows (emotive, irrelevant
and otherwise) are now moot.


Andrew Poulos

PS. water at a higher temperature than, I believe, 104 degrees
Fahrenheit (40 degrees Celsius) can be used as a herbicide.

 

[Richard Cornford]

If I put a *big* button in a window with the improbable label

"Click me to close this window. Note that when the window closes
you will lose any and all temporary browser history. Please refer
to this browser's help file, or google for it, to find out more
about temporary browser history before you click this button."

and when clicked it called a script that actually caused the
window to close then all of a sudden the user knows what is
going to happen and all your arguments against scripts closing
windows (emotive, irrelevant and otherwise) are now moot.

Yes, if the user makes an informed decision to close their browser
window then they have all the responsibility for the consequences.

But the user always has the ability to close the browser whenever they
want (and will be familiar enough with their computer's OS to find and
operate the mechanisms provided) so providing scripted button for the
task is pointless. Allowing a script to close a window only as a direct
result of a user action and otherwise preventing scripts from doing it
maliciously is effort to no purpose. Once the window has a close button
(and can be shut down in numerous other ways) it is easier just to stop
scripts from closing windows that they did not open and leave it at
that.

Richard.

 

[Andrew Poulos]

Yes, if the user makes an informed decision to close their browser
window then they have all the responsibility for the consequences.

But the user always has the ability to close the browser whenever they
want (and will be familiar enough with their computer's OS to find and
operate the mechanisms provided) so providing scripted button for the
task is pointless. Allowing a script to close a window only as a direct
result of a user action and otherwise preventing scripts from doing it
maliciously is effort to no purpose. Once the window has a close button
(and can be shut down in numerous other ways) it is easier just to stop
scripts from closing windows that they did not open and leave it at
that.

A. A script is used to open a new window and the user navigates to other
pages. Then a script closes the window and destroys the user's property.

B. A user closes a window using, say, the x button on the title bar and
they get their property destroyed.

C. A script closes a window it didn't open and the user gets their
property destroyed.

Why is only one considered malicious when all three destroy the user's
property without warning?

Andrew Poulos

 

[VK]

If I put a *big* button in a window with the improbable label
"Click me to close this window. Note that when the window closes you
will lose any and all temporary browser history. Please refer to this
browser's help file, or google for it, to find out more about temporary
browser history before you click this button."

So do you propose to build into UA's an algorithm for searching this
button and if presented then OK on closing? That is an age-old
problem of good intentions and bad intentions and the fact that
JavaScript engine is not God to read them out of your mind. The modern
Web is a "society" acting on the *presumption of guiltiness* - as
opposed to the presumption of innocence anyone used to. This way any
web page is considered as a criminal seeking for any opportunity to rib
off and kill anyone coming close enough. It is the web page duty to
prove that it's not a criminal but a good member of the society (server
certificate, code signing, trusted sites list). Until then anyone is
presumed to be criminal maniac and ok to shoot w/o alert. It is sad but
it is exactly in the way people themselves make it to be over the last
12 years.

In application to "closing window w/o prompt even if you did not open
it": there is not *immediate* security exploits out of it. But regular
users got deadly tired of mf'ers forcing them to stay on the current
page or to close the window. It is an inextinguishable cockroach specie
living in the Internet: out of the first basic knowledge of JavaScript
they try to produce a page locking the visitor on it. First appeared
somewhere back in 1997 they are keep mutating and reproducing.
Thousands and thousands of them are going away each month but thousands
of new coming right away. No insecticides are helping for a long run as
they adapt very quickly. So yes (with your analogy of boiling water as
pesticide) sometimes the house is so infected that the only way is to
burn it out. (where the "house" is in reference to scripted window
closing, not to the Internet

And I don't take too close scream crying of a kind "our Big Corporate
International Solution just got nuked because of it". There are
certificate authorities, HTA, remote administration packs and hell of
other things: so the nuke state (if it is) suggests that everything was
back-a** made on the first place so now it is a great time to re-make
it descently. I'm too long in this business to buy things on pity of
crying

 

[Randy Webb]

Andrew Poulos said the following on 11/26/2006 5:01 PM:

A. A script is used to open a new window and the user navigates to other
pages. Then a script closes the window and destroys the user's property.

B. A user closes a window using, say, the x button on the title bar and
they get their property destroyed.

C. A script closes a window it didn't open and the user gets their
property destroyed.

Why is only one considered malicious when all three destroy the user's
property without warning?

A and C are both malicious. B is not because it is user initiated. Your
same line of reasoning can be applied to popups. Why are some ok and
some are not?

 

[The Magpie]

Are you arguing just for the sake of it?

Far from it. I made a point and it was questioned so I answered the
question raised. Simple.

My guess is that you don't actually own any software. You most likely
have a license to use it - that's all.

Your guess is wrong for many reasons.

So when did MS, MZ or any other browser vendor ask you for permission to
add/remove any software feature whatsoever?

If features of the product are removed from future versions then that
is their issue. If they are removed from existing and running versions
on my PC without my consent then not only is that malicious but it is,
in fact, a criminal offence.

So you would also consider any bugs you encountered malicious?

No, and I made it perfectly clear that that was not what I said at
all. I said - and repeat - that if one piece of software interferes
with another that I choose to run then that interference is malicious.

Malicious means to be characterised by malice. [snip]

While correct in etymological terms, in legal terms that is not the
case (malicious: Law. vicious, wanton, or mischievous in motivation or
purpose). In the case of the proposed scrip, it is mischievous at best.

Closing a window with a script generally is neither and, in
fact, is often desirable (if it a required part of a software spec.)
Just because you don't like something doesn't automatically make it
malicious.

If it closes part of *its_own* software, then as I already stated I
would agree. However, that is quite clearly *not* the intent of the
original question at all.

Do you believe that no one could possibly ever have a valid real-life
situation?

Yes, I do.

The only valid real-life application can be one which is explicitly
intended as a primary part of its function to close windows from other
software. Such applications do exist as part of system security
packages but there are no other legitimate reasons to bugger about
with my running software.

 

[Andrew Poulos]

Yes, I do.

The only valid real-life application can be one which is

Contradicting yourself again?

Andrew Poulos

 

[The Magpie]

Contradicting yourself again?

No, Andrew, and I have not contradicted myself at all. I clearly said
if you note (and had quoted the entire sentence) that it would be
valid *only* if I had chosen the software with the *specific* intent
that it could close other windows.

Which - of course - is not what you want. Hence your request is and
remains malicious.

 

[Andrew Poulos]

No, Andrew, and I have not contradicted myself at all. I clearly said
if you note (and had quoted the entire sentence) that it would be
valid *only* if I had chosen the software with the *specific* intent
that it could close other windows.

Hmm, let's see. I asked about the possibility of a valid real-life
situation. You replied "no" and then proceeded to provide one (which
makes it a "yes"). You now claim that this is not self contradictory.
You win, I give up!

Andrew Poulos

 

[The Magpie]

Hmm, let's see. I asked about the possibility of a valid real-life
situation. You replied "no" and then proceeded to provide one (which
makes it a "yes"). You now claim that this is not self contradictory.
You win, I give up!

Oh, for goodness sake, Andrew! You asked for a valid situation in
which a script should close other application windows *without*
explicit permission. I gave you the *only* valid example as being one
where it is *explicitly* given permission. Surely you can see the
difference between the two!