JavaScript "Unresponsive" Timeouts

Hello forum folks,

One of the annoyances of the FF or Flock browser can be a warning for an unresponsive script, like “A script on this page may be busy or it may have stopped responding…Do you want to abort the script”, This is accompanied by "OK and “Cancel”. If you click “Cancel” the alter pops up ad infinitum. Reason behind this is that the same thread in the FF type browser runs the graphical interface as JavaScript. So a hostile website can hang your browser. The solution to the problem is very simple, and I give it here. Simply type “about:config” in the URL bar, go to “dom.max_script_run_time” and change the default of 5 sec to the value you need. Close all windows, restart FF or the Flock browser and voila,

greets,

polonus

How would changing (lowering) this value resolve this problem?
Also would the lowering of this value cause more issues if as you say it also runs the graphical interface as javascript (what if you have javascript disabled, etc.)?

As surely if you click Cancel the same would happen as you previously mentioned, surely clicking OK would kill the unresponsive script?

Not to mention a little thing called trust and deception, I’m very caution about clicking anything OK, Cancel, etc. as it is entirely possible for a malicious site to switch the implied function of the button.

I tend to close the pop-up with the X at the top right if I simply want to cancel the pop-up.

Hi DavidR,

Well your reaction is good to close the error pop-up is always the best option in case of a hostile web action. That is why I use the Dr. Web plug in pre-hyperlink scanner to avoid these problems, whenever in doubt. Normally when NoScript is active there is no danger anyway. Then I have two more things monitoring scripts that is AVX Script Wall and Scrip Trap. The case is that in case of the unresponsive script alert or warning (non hostile web-action) the clicking of cancel keeps the error pop up over and over again.
Under certain circumstances JS can provoke this when it invokes the graphical interface for instance either in CAPITALS and smalls within the same script, or something graphically is “out of bounds”. I think the bug was never really addressed in FF development.

greets,

polonus

Unfortunately the DRWeb extension for firefox doesn’t work with firefox 1.5 rc2.

So in effect reducing the time has no effect as I suggested, it would simply pop-up the unresponsive script notification window sooner.

Hi DavidR,

I have asked their technical staff for a new version for the Flock browser as well. It cannot be ported from the 1.07 or “flockered” as such…
Chris Pederick Web Developer Extension works in the FF 1.07 and the Flock preview 0.5 builds, but not under your FF 1.5. Why is that?
How is it with the preference bar and spoofstick? For me these are vital security add-ons. And security add-ons are the real things that make the FF browser shine.

DavidR, Firefox 1.5 x does not come with the Venkman JavaScript Debugger. although it is still available for FF 1.5 x.
Some feel it is a waste of time anayway, so it is an add-on now, and does not come as default.

In I.E. you can best disable script debugging and display a notification about every script error.

greets,

polonus

The way the latest firefox 1.5 rc2 handles extensions has changed, I believe reduse the potential of an extension bringing everything down (could be wrong) so some extensions when you install 1.5 rc2 are disabled if they aren’t compatible. I have a number of them, BBcode **, DictionarySearch, SpelBound ***, Translation Panel **, CuteMenus, Sort Bookmarks *, Star Downloader integration **, FlashBlock *, Cookie Culler **, those with an * (or more) I really miss.

I used to have spoofstick but I felt it was worse than useless as it didn’t even show URL masking. Lets say you have bought a domain name but you use free webspace and you don’t want to look like a cheep skate, you can use web forwarding to redirect to your free web space, but the domain name remains in the URL window and spoofstick didn’t bat an eyelid.

Hi DavidR,

Do you mean that Fraud Eliminator (http://www.fraudeliminator.com/) is a better anti-phishing solution? I use the javascript bookmarklet from Kevin Donahue, and I like that. Or do you mean that all these new parafernalia are quite useless against spoofing hacks.

greets,

polonus

No, just that spoofstick didn’t detect basic web forwarding which masks the web site url that is being displayed.

I have never used fraudeliminator, just my brain and common sense. Most spoofing/phishing attacks arrive as links in emails, etc. don’t click the link (for the most part spam detection will also see these as spam based on the origin of the email).

If you want to you could copy the link and test it with google or dr web as it may also have malicious content (backdoor trojan, etc.), nut for me not clicking links in emails that are of unknown origin is a big step in avoidance.