Tag Archives: Javascript

Overriding Firefox’s Window.Alert – Part 3

Wow. I think I got it. I’ve got a Firefox plugin that can suppress all alert() dialogs on a page if the user checks a “suppress” box on the second alert() dialog.

The trick, was not to rely on the DOMContentLoaded event to fire to do the override. Instead, I used the DOMWillOpenModalDialog to detect the first alert(). After detection, I overrode with an alertCheck which asked the user whether or not to “suppress more dialogs”. If the user answers in the affirmative, alert() is simply overwritten with an empty function.

Piece of cake.

A couple of issues though…

Security

In order to override the alert() function, I have to write to document.getElementById(‘content’).contentWindow.wrappedJSObject.alert.

Remember how I mentioned the distance between the Extension JavaScript, and the inline content JavaScript? I said it felt like a security layer.

I was totally right.

Check this out. I’ll quote:

You should be aware of XPCNativeWrappers when working with untrusted content. With XPCNativeWrappers turned on (which is the default in Firefox 1.5+), your extension can safely access the DOM of the content document, but not the content JavaScript. Bypassing XPCNativeWrapper to work with content JavaScript directly can lead to security problems.

Hrmph. So I seem to be violating some security rules here. So maybe my approach isn’t the greatest idea. “Mook” from irc.mozilla.net #extdev suggested looking into commonDialog.xul…but I can’t seem to wrap my head around that just yet.

Imperfections

Not sure why yet, but while I can suppress dialog floods like this:

for (i = 0; i < 10; ++i) {
  alert(i);
}

It seems to fail on this:

for (i = 0; i < 10; ++i) {
  alert(i);
  confirm(i);
}

For some reason, regardless of whether or not I choose to suppress the dialogs, they just keep coming. It works fine when I swap out the confirm() for a second alert(). Not exactly sure why. Yet.

Ok, so I’m going to clean the code up, and post it soon. I’ll also post a link to a real, brutally annoying website where you can test the alertCheck extension. Just give me a bit.

Overriding Firefox’s Window.Alert – Part 1

Window.alert is a native function built into Firefox – but that doesn’t mean it can’t be overridden.

Check this out:

Open Firebug, and get to the console. Then, click that little red arrow at the end of the input line so that you get the large box input on the right side of the screen.

Type this into the input box:

var alert_count = 0;
var old_alert = window.alert;
var alert_max = 5;
window.alert = function(alert_text) {
  if (alert_count < alert_max) {
    ++alert_count;
    old_alert(alert_text);
  } else {
    console.log("Reached maximum alerts");
  }
}

Now, hit “Run” at the bottom of that input window. We’ve just overridden the window.alert function during runtime.

Hit “Clear” at the bottom of the input window, and type in:

for (i = 0; i < 10; ++i) {
  alert(i);
}

Hit “Run”. Click “OK” for the first 5 alert windows, and watch as the rest of them are spewed out to the console. Nice.

So, I don’t think this helps me much in creating my plug-in, but it’s interesting to see how window.alert is malliable at run-time.

This seems to be a more relevant discovery – Mozilla’s Chrome lets me create an alert popup with a checkbox using alertCheck. I think this is exactly what I’m looking for.

I’ll tinker with it over the next few days, and post some code.

Summer Project: Firefox Plugin to Override Window.Alert

When I don’t have work to do, I get antsy.

And right now, I’ve got no work to do.

So I’ve come up with a project for myself: remember how I created a Firefox Plugin a few months back? I’d like to make another one – but this one will actually serve a useful purpose.

Have you ever been to a page that suddenly started spewing window.alert boxes at you?

If you haven’t, open up Firebug, and paste this into the console:

for(i = 0; i < 10; ++i){ alert(i); }

Now imagine if instead of 10 alert boxes, it spewed hundreds…or thousands….or god forbid, it uses a while(true) loop, and throws infinity alert boxes at you.

It totally cripples Firefox. It’s a super simple browser DoS attack.

Mozilla knows this, but so far, no solution except for killing the Firefox process, or disabling Javascript manually, or with NoScript (a plugin that I highly recommend).

Google Chrome has solved this problem by providing a checkbox on alert dialogs that allow a user to disable future popups from the current site.

Cool. I want Firefox to have the same feature.

So, this summer, I’m going to try to build a Firefox Plugin that will override the standard window.alert function, with one that provides a checkbox, letting the user disable future alerts.

I don’t even know if this is possible, but I’m looking into it.

I’ll blog my research and progress as I go along, and share my code / final plugin when it’s all finished (or when I abandon it…hey, it happens).

So stay tuned.

My Web App in the News

ANOTHER UPDATE: Whoops. Fixed the links to the auction and the St. Catharines Standard article.

UPDATE: Apparently, the Feds are getting in on the online auction circuit too.

Over the past three summers, I’ve been employed by the District School Board of Niagara as an internal web application developer.

One of my first jobs in the summer of 2006 was to rebuild the online auction application that the DSBN Purchasing department ran. The original auction let the Board dispose of old equipment quickly and easily, and was quite popular. Unfortunately, it was also written in (almost) unintelligible/unmaintainable Perl.

So I rewrote it by myself, and learned PHP/MSSQL along the way. We called this new auction site The Government Surplus Online Auction, and we opened it up so that other government agencies could also post items for auction.

Things went along fine until last summer, when the site got attacked by an SQL Injection bot. Back in 2006, I had no idea what SQL injection was, or how to guard myself.

So there I am – I’ve just come back from a camping trip, my inbox is packed with complaints, and I’ve got three weeks until school begins. Crap.

Luckily, I had plenty of tools at my disposal. My web app development skills and practices had evolved dramatically since 2006, and I had been itching to reimplement the auction anyhow. The SQL Injection attack was a perfect excuse for me to gut the entire application, and rebuild from scratch.

And I did. I rebuilt the whole thing from the ground up in three weeks. It’s been almost a year since it was deployed, and I’m still very happy with its performance, and the code that runs it.

I’m not happy with its overall UI design. I think there are plenty of improvements to be made in that regard. Luckily, it’s coded using a light MVC framework that I designed/built myself, so reskinning shouldn’t be too hard for whoever decides to work on it…

Apparently, I’m not the only one happy with the auction site. Check out this article (now without annoying print dialog).

I just checked the logs today – we hit a new record: an aerial truck went for $22,000 dollars. With the Board receiving 5% ($1100) of that simply for hosting, I think everybody is walking away happy.

Here’s the auction.

Proof that I wrote it? This’ll have to do.

Starcraft…implemented in Javascript.

Last night, I had a dream.

In it, I was breaking into a house. In the house was a TV and a computer. On the TV was Mario64, and on the computer, Starcraft.

Somehow, in my dream, I knew that both had been re-implemented in Javascript. I was blown away.

When I woke up, I posted a little blurb about this dream on Twitter. Paul Gries responded with this link: Javascript Starcraft.

Dreams. They can come true. Except sometimes, you need Internet Explorer to run them.

A Blog by Mike Conley

The personal blog of a Toronto based software mechanic, musician, sound designer, and theatre enthusiast.