40 comments

[ 3.6 ms ] story [ 88.3 ms ] thread
Brief but revealing discussion from a year ago: https://news.ycombinator.com/item?id=15935568.

It was courteous of tosh to submit the source. For those who dare, the link is https://theannoyingsite.com.

Just a warning: this will make your machine unusable by opening a bunch of pop-ups, download images, and playing annoying audio while flashing the screen.
Or will have no effect if you disable javascript by default as any sane person should do.
It's wonderful to see that humanity has so many different definitions of 'sane'. Heterogeneity is beautiful; it makes browsing the internet like walking through a tropical jungle.
It sounds like a SFW version of the old shock-sites like GNAA NIMP/LastMeasure, which would basically do the same but the content was far more NSFW.

(For... suitably small values of SFW?)

Interesting that this entire domain is blocked as malicious by my ad blocker.
It escapes from being malicious only because it is very explicit on what it does. But it's very likely that are malicious links to it that hide its destiny.

And it's entirely what ad-blockers should be out to block. So, yes, good thing that it's blocked.

what ad blocker do you use ?

It seems to be overreaching here as this is definitely not an ad.

By that definition, don't ad blockers overreach these days? (by blocking analytics scripts, etc. too)
It also seems to be on pi-hole’s list of blocked domains that it uses, as I don’t resolve DNS when I try to access it from behind my pi-hole.
Yeah my pi-hole blocked this one too and after reading the comments here I am glad :)
be afraid. if you must, use a distinct browser you can kill.
So... Like I just saw some JS and nothing happened? But I'm on mobile...
DO NOT CLICK OPEN THE REAL WEBSITE. Jeez, I just made that mistake. Omg, that was bad.

I can't perfectly describe what happens but I'll try — the page jumps around with a cat image, every time I try to kill it with cmd+w, it repawns into another small window. I think it remaps cmd+w to cmd+p, and just plays dubstep in the background. Oh, and at some point, a random cat headbanging cat appears, and the voices goes from saying "a-a-a-a-a-a-a-a-a" to "I can't see the inside of my mouth".

I think it also logged me out of gmail.

I had to kill Chrome. Don't open it in your main browser, use incognito mode, or the private browsing mode of a different browser so that you can kill the entire browser without losing HN access — because that's what you'll probably end up doing.

Edit: Oh, it seems to be easier to kill on Firefox. Also, it keeps asking for webcam and mic access, and to be set as the default application for bitcoin links?!!!

Edit: A way to get out without killing Chrome is: "press cmd+w" to get to the "print" screen. That seems to stop the windows from moving around. Then kill all the other windows first, and kill this "print" window last. You'll it say "please don't go" every time — but don't give in!

I somehow managed to escape without killing chrome, after I closed a dozen of the windows with a combination of cmd+w and clicking the close button. It definitely logged me out of my google and amazon accounts.

Edit: here's a talk by the author: https://www.youtube.com/watch?v=6pY9Bfwfj2A

Microsoft Edge had no trouble dealing with it. I let it rip, with the adblocker off to see if it would crash. Handled it all fine. Then I just told it to close all the additional windows it brought up.

Of course, it did log me out of everything.

I laughed so hard reading your comment then sources. A bit unfortunate (or not), on mobile it doesn’t seem to do anything interesting other than pollute my history with a bunch of entries.
As someone who browses the internet with JavaScript disabled by default, I've never felt more vindicated.
Fun aside, that means no browser has a popup rate limit in 2018?
(comment deleted)
I did the same as you of curiosity and was wondering what this site is even supposed to do.

I guess my disabling of javascript by default to avoid annoyances, improve performance and save battery rendered the annoying part useless.

Sometimes I wish mozilla had chosen to make firefox more like opera (the real opera, not the chrome based one) and not like chrome with the quick disable/enable script setting instead of removing the possibility to disable javascript altogether. Actually I wish opera was still around to not have to deal with mozilla nonsense by resorting to using a different build (waterfox) to mitigate most of it.

Yeah I hate that they burried the option to disable JS and even worse to disable JS moving and resizing a window around the screen. At least make those things the end-user is asked for permission to allow.
For those who haven't seen it: https://www.technorms.com/assets/sshot-624.png

I hate the dumbing-down of browser configuration (and UIs in general) too, but given the actual people who make the decisions on what browsers do, it's not surprising --- turning the userbase into obedient ad-clicking dummies (and preventing them from learning about e.g. the world of disabled JS) is the best way to monetise them, after all.

I think they can dumb it down if they want.... BUT have an 'advanced' button for people who know what they're doing. I wonder how simple of a plugin it could be to make a 'Firefox Config Plus' if one doesn't already exist...
Thanks now I'll be all depressed missing old opera again for two weeks.
Yeah, my downloads are FULL of cat images.
This is interesting

  /**
   * Sites that link to theannoyingsite.com may specify `target='_blank'` to open the
   * link in a new window. For example, Messenger.com from Facebook does this.
   * However, that means that `window.opener` will be set, which allows us to redirect
   * that window. YES, WE CAN REDIRECT THE SITE THAT LINKED TO US.
   * Learn more here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
   */
  function attemptToTakeoverReferrerWindow () {
    if (isParentWindow && window.opener && !isParentSameOrigin()) {
      window.opener.location = `${window.location.origin}/?child=true`
    }
  }
I checked in Chromium 70 and this only seems to work on the same origin - attempting to access `window.opener` cross-origin results in

  Uncaught DOMException: Blocked a frame with origin "https://example.com" from accessing a cross-origin frame
The article linked in the code [0] and the MDN page for window.opener [1] mention the use of `rel="noopener"` to prevent `window.opener` from being set, but that it's not supported in all browsers - particularly Firefox, which needs `noreferrer`. I am sure CORS headers also play a role in protecting from this. OWASP calls this technique 'reverse tabnabbing' [2].

There's a demo [3] of the effect - you can manually inspect the first link and change the href to [4] and then click the link to test how cross origin requests work.

[0] https://www.jitbit.com/alexblog/256-targetblank---the-most-u...

[1] https://developer.mozilla.org/en-US/docs/Web/API/Window/open...

[2] https://www.owasp.org/index.php/Reverse_Tabnabbing

[3] https://rawgit.com/waltertamboer/experiment-html-js-window-o...

[4] https://gitcdn.link/cdn/waltertamboer/experiment-html-js-win...

I control w'ed twice and got out of it. Maybe I have chrome dialed up to the max?
> 'YouTube': ['POST', 'https://www.youtube.com', {'action_logout': '1'}]

Didn't knew it was post possible to `js` fire a post on a third party website.

So my understanding is that they just had to find a Google site capable of logout and has a weak CORS setting? Am I getting that right? Usually you would just configure, "no, don't accept VERBs from other origins."

I'd love to know why YouTube needs to allow logout from other origins.

Disappointed that I wasn't logged out of Hacker News when visiting the site... Where is the love Annoying Site?
Extensively commented source code. I rarely see JavaScript like this.
maybe it targets chrome users. In firefox it was mildly annoying but very easy to kill. I did get logged out from youtube, but no big deal