Ask HN: Why do browsers still support pop up dialogs and other bad behavior?
There are still malware and advertising sites out there that allow browsers to use modal dialogs (ie, you can't interact with the page without answering the dialog). You can't even close the tab without getting rid of the dialog. There are also sites that will kill your page history by going through a bunch of redirects to prevent you from leaving with the back button. Why are these kinds of things allowed and supported by web browsers? Why do they even need the ability to have a pop up dialog with modern web sites being what they are?
83 comments
[ 5.1 ms ] story [ 168 ms ] threadIt might not amount to good UX practices but it's not malware or a dark pattern either.
Besides, if at all possible most browser vendors try to be backward compatible. There are many applications out there that make ample use of pop-up dialogues. There's no need to break those just because they don't provide a stellar UX.
Sorry, I disagree with you. On a typical non-web application, a modal dialog doesn't prevent me from accessing other applications. It doesn't prevent me from forcefully killing crapware either. The idea that web applications should be able to break user expected control at the browser level is silly.
Browsers have Back, Forward, Refresh, Stop buttons, Tabs, cookie prefs, DNT prefs etc. Anything contained in a browser should respect these things. Browser devs should enforce this as browsers become more and more like their own operating systems.
This is a technical problem, your user should not have to bother about thinking if can reload the page of not, he/she should be able to murder the shit of the F5 boutons if he/she wants to.
While I executed my QED here deliberately, I've left more than a few duplicate comments on laggy connections and/or bogged-down browser sessions.
Other elements of HN's design and workflow make detecting this difficult. Rather than returning the user to the comment they'd just posted, or its parent, you're returned to the discussion root.
Catching typos, incorrect tags (I keep having to remember that _this_ doesn't emphasise content), etc., would be far easier if the renderd comment was presented.
Solving this as a browser / HTML built-in would be most ideal.
HTML though isn't stateful. By design.
Hitting the back button then does not lead to that request being sent.
I feel this is an issue where the heavy lifting should be done by website and browser devs, instead of breaking something the user expects.
They've also been restyled to make it obvious they're a prompt from the website not from safari itself.
Also, there are legitimate uses for this functionality, so as with many things I think the solution is not to remove the functionality, just improve the implementation.
Firefox does this too.
The worst things a browser can do come from javascript, so having a whitelist is useful. Remove anyone from your whitelist that is engaging in behavior you disapprove of.
I don't let facebook run scripts on my machines because I disagree with their philosophy of selling user data to the highest bidder, and tracking everything users do. That's too intrusive so I simply disallow them access.
No site that calls in too many javascript packages is given any privs on my computer.
If you want websites to be able to be dynamic at all, then they can use that power to be annoying. Two sides of the same coin.
(the history thing seems like it might be more addressable)
Our web app autosaves so the dialog box should never appear, but our metrics show that it appears surprisingly often -- sometimes it can take a few seconds for changes to flush through the websocket, and for the save to get acknowledged.
If you took that away, our users would lose changes. I imagine they would get pretty irate.
Yes, that's a lot of msgboxes, but it's a decent compromise I think. It's not like that would happen very often anyway.
It's 2016 and Microsoft is incapable of creating a reliable cross-site login system. Instead, we still have the disastrous mess that is live.com. Minimum 2 redirects - at least 1 of which is Javascript (seriously?) - to handle a simple login. And when your cookies go a bit wonky, you won't even be able to browser the MSDN site to look up technical details. You have to manually clear your cookies. Again.
Input your email / password -> select if you want to use your personal or business profile -> enter your login info again (because, reasons) -> go through two redirects.
I think they fixed it about a month ago. I have my Comcast email forwarded to a real account on a domain I own so I never have to use their insane email system again, but I still have to log in to pay my bill. It's down to one login session now, but it's still a nightmare of a site to navigate.
Might it be some attempt to disspel censorship, such as the scenario you're describing?
On a slightly related note, I really hate that we Internet Citizens are convicted to using plaintext server name indication.
https://en.wikipedia.org/wiki/OAuth
This infuriates me. It also really screws with people who can't touch type, and thus don't realize it's happened until they look up after entering their password only to realize the page changed and their text was lost.
I presume what's going on is the site realizes the login won't work and redirects you to the domain where it will, but it's just terrible design all around.
Not that there aren't ways to fix this, but in general "remove the offending API" rarely works on the Web. You need a more subtle approach.
Modern browsers are capable of running separate JS contexts, but doing so breaks backwards compatibility in a corner case: if you have the same domain open in two tabs, an alert() on one should block processing in the other. Otherwise, interacting with the other could change shared JS state while the code assumed it was blocked.
Concerns about this led to many discussions about designs where you would need to mark all tabs that were grouped together into blocks waiting for the modal to close, which are very difficult for users to understand. (I never quite understood why this hypothetical race was such a worry but people who knew more about web compat than me said that it was actually important, that sites relied upon this.)
It wouldn't make a lot of sense in practicality, but would be interesting to use alert() to block js execution, or even some of these olders legacy feature sets.
They share cookies, sure, but that's a very different thing that JS interpreter state.
But I've never heard anything about an alert in one tab blocking the JS interpreter of another tab on the same site, as that would certainly break the principle of least astonishment. Where is that behavior documented?
http://donhopkins.com/home/tab1.html
http://donhopkins.com/home/tab2.html
Chrome puts the alert in a separate window that stays on the screen when you switch tabs, and it queues the button press in the blocked tab until after you dismiss the alert from the other tab. Also, ctrl-tab doesn't switch tabs while an alert dialog is up, which sucks.
But Safari and Firefox don't block execution (which is how I expected it to behave), and they show the alert in a sub-window of the tab that's hidden when you switch tabs (which is what I greatly prefer, rather than having a loose alert window floating around with no way to tell which tab it's associated with and freezing).
Is there a spec that explicitly says browsers are actually supposed to block execution of JavaScript in tabs of the same domain, and are 2 out of 3 browsers I just tested breaking that spec?
How does it work on other browsers and other platforms?
Apparently Chrome considers sub-domains to also block JavaScript execution:
http://www.donhopkins.com/home/tab1.html
http://www.donhopkins.com/home/tab2.html
I am astonished by Chrome! I don't like those loose blocking alert dialog windows and disabled tabs at all. If I'd noticed that behavior in the wild, I would have reported it as a terribly unfortunate bug.
On Windows Chrome, your demo pages block the entire browser, including other windows. Windows Chrome has had the most attention paid to "old" web compat.
When we were making Linux/Mac Chrome I remember a point where we were looking at porting the cross-process lock functionality and similarly wondering "what site could ever need this". I remember punting the bug to implement this for quite a while; I'm not certain it ever got fixed.
If you wanna have your mind blown along these sorts of crazy web behaviors, you should look up the semantics of the "showModalDialog" browser API, and also the many people who were upset about Chrome's recent removal of it.
This is comically terrible:
https://msdn.microsoft.com/en-us/library/ms536759(v=vs.85).a...
>Neither modal nor modeless HTML dialog boxes support text selection or the standard shortcut menu for copy operations; however, you can imitate this functionality by using script with TextRange objects and event handlers for onmousedown and onmousemove, ...
So why don't we make the tradeoff and break these corner case websites in order to fix a far worse problem? Backwards compatibility > * is too high of a standard.
Mode 1: Render static content; allow unobtrusive JavaScript operations (perhaps capped by total operations or CPU usage).
Mode 2: Run unlimited JS operations, allow alert() and window.onbeforeunload events handers.
The second mode could be called "Application Mode" and could be turned on selectively per site.
This would allow you to give gmail.com whatever resources it needed. But clickbait-headline-slideshows.com could not, unless you explicitly allowed it.
This has gotten a little more difficult since chrome changed the UI around these settings though.
1. Reading/commenting mode. 2. Applications 3. Commerce. 4. A/V media.
The're four distinct use cases, with four distinct client requirements (and/or isolation requirements).
uMatrix buys you some of the JS isolation you're looking for.
https://www.reddit.com/r/dredmorbius/comments/256lxu/tabbed_...
I wrote up a similar proposal a few months ago, didn't get much love: http://www.eggplant.pro/blog/proposal-safeweb/
I don't see how any of the "excuses" in other people's comments would preclude something like that allowing people to easily escape an evil site like you describe.
Modal dialogue boxes are for lazy programming not for UI. Almost nothing in real life is modal. Don't break a user's flow! We just built a full application platform (i.e. dev kit, apps, application environment, etc.) and nothing is model, not one thing. Errors are added to a notification list that a user can look at at any time. Data merge conflicts are resolved via automatic default branching that the user can override later. Data is copy on write, and versions are retained. Login is handled with PKI.
Modal is forbidden on our platform period. If an app breaks this some how and finds a way to hack a modal event, we will treat this as a DOS attack and remove the app and ban the developer. We believe the user is the final authority, not the programmer, or the platform.
(obviously this is a bit of a pet peeve for me)
I like the cut of your jib!
I wholeheartedly agree: modal dialogs are demon spawn. A throwback to the single-threaded Mac that freezes the entire operating system even while you have a menu popped up.
A full-screen, in page overlay, in red, with a clear, black-on-white dialog stating what you were about to do and requesting confirmation.
It's obvious. It's user-centric. It doesn't affect other browser tabs. And they don't abuse it for other functions (nags, etc.).
In fact, I cannot name a single one. Open/save file dialogue? Emacs minibuffers are light years ahead of the current Windows crap.
Asking for credentials? Same thing, only grey out the controls that directly depend on credentials and use something like emacs minibuffer for entry, not a new window on top of the rest of the form.
And, while I'm still on it - don't EVER grey out anything without an explanation. I want to be able to hover over a greyed out control and see a detailed explanation immediately. Not doing this is rude.
If a UI designer cannot build a seamless handling of all the exceptional cases into a flow, he'd better move on to a simpler job (I don't know - programming, sweeping streets, packing groceries, whatever) and let the professionals do the work instead.
Also, most (if not all) frameworks implement modal dialogues in a very ugly way. For example, in Visual Studio it is a very often case when you may want to copy and paste something from some other editor window into a modal dialogue. But you cannot - it's all locked! Such things are extremely annoying and totally unacceptable.
At the end of the day, I think it is not that easy to say, what is a "bad behavior". Somebody can consider showing advertisment as a bad behavior. In many cases you can communicate with authors of a website and tell them your opinions, or stop wisiting that website (which is also a form of communication, authors will know that something is wrong when they lose visitors).