[whatwg] Can we deprecate alert(), confirm(), prompt() ?

Ian Hickson ian at hixie.ch
Fri Jun 8 10:18:40 PDT 2012


On Mon, 5 Mar 2012, Biju wrote:
>
> Today I again landed on a malicious site which trap users using 
> alert/confirm to download some application.

On Mon, 5 Mar 2012, Rick Waldron wrote:
>
> All three of these are considered highly effective tools in mobile web 
> development - they offer functional "UI" for free.

On Tue, 6 Mar 2012, Biju wrote:
> 
> along with window.open() malicious sites also love those features. to 
> make browsing safe (especially for kids, non techies) we need to ban 
> alert/confirm/prompt
> 
> And we should have an alternative to window.open()
> may by a CONTROL attribute for <IFRAME> tag.
> 
> ie,
> 
> <IFRAME src="http://google.com" CONTROL> </IFRAME>
> 
> will create a dragable/movable IFRAME with title bar, a pop-up button. 
> If user clicks on pop-up button it pops out of the webpage.

I don't think there's any reason to believe that malware authors would be 
any less able to use that kind of UI than alert().

Historically, the problem with alert() and friends is that they are 
implemented in a bit of a blunt manner. However, this has been improving. 
Browsers offer to abort the script, browsers keep them modal to less than 
the entire browser, browsers detect abuse patterns like multiple alerts in 
a row, etc.

Practically speaking, we can't stop supporting them. Lots of the Web rely 
on them. So there's no point deprecating them, it wouldn't change 
anything.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list