And because the dialogs are app-modal, they commonly (and unfortunately) are used to harm our users.
I didn’t quite get this part. I followed the link and read the post, but how is this different than any other in browser scam using an animated gif? Does the effectiveness of the scam really rely on the modal dialog, and not simply imitating native controls? There’s crap like this targeting Windows users as well, which is esaily detected because it’s painting a fake WinXP border around the scam.
Anyway, they don’t mention Firefox, but I think Firefox made these dialogs per tab almost ten years ago? That used to be a major issue. Some site would pop an alert, and you couldn’t switch tabs or do anything. But now the alerts are drawn by Firefox “inside” the native window.
Pretty please, can this be the policy?
Stop script and killing the tab has been my solution on top of NoScript. It would be nice if there was a command in browsers to do that immediately that (a) was always received by browser regardless of what JS is trying to do (trusted path) and (b) kills whatever JS activity has focus & its source tab. Then, we just train users to hit that keypress if something locks up their browser. If that doesn’t work, terminate the browser itself.
I’m sure the cat and mouse game will produce evasion tricks but what’s the overall problem with this solution? And is it already in a browser somewhere? I run in the problem so rarely with NoScript that I haven’t dug into any documentation looking for it.