256

When I click to download a file through Firefox, a dialog window appears asking me whether I want to save the file somewhere or open it immediately once downloaded.

Screenshot of a Firefox download dialog

The OK button in the dialog window starts disabled, and doesn't enable until the dialog has had focus for around a second. The dialog isn't modal, and if I focus on another window the OK button will disable and again won't re-enable until the window has held focus for a second.

My partner lamented at this design, and asked me why she couldn't just click OK to download immediately - I responded that I've always thought it was a security feature. Now that I think about it however, I'm not certain exactly what behavior it could be preventing. I would have thought that it might prevent some malicious website from downloading a file secretly by forcing the download window to stay open for at least long enough to see whats going on - however it should be possible for a site to download stuff secretly in the background anyway. Regardless I presume most users would have clicked the 'do this automatically from now on' box at some point, and thus be unprotected anyway...

So, is this a security feature? If so what does it protect against?

Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
Numeron
  • 2,485
  • 3
  • 15
  • 19
  • I kinda thought it was probably some strange piece of slowness caused by inefficiency by whoever developed the specific code by Firefox. If Firefox had it clear that the delay was intentional, such as changing the value of the button to say "OK in 3..." and show a countdown, then at least I would have understood that this was clearly intentional behavior. – TOOGAM Mar 26 '16 at 16:09
  • 6
    yes, supposed to enhance security but can be turned of by setting security.dialog_enable_delay = 0 [ https://superuser.com/questions/1023643/firefox-disable-delay-on-download-dialog-buttons ] – eMPee584 Jul 16 '18 at 10:15

5 Answers5

363

Yes, it is a security feature, and the purpose of the delay is to prevent attacks based around tricking the user into entering input to skip past the dialog by popping it up unexpectedly when the user is in the middle of inputting multiple key presses or mouse clicks in quick succession. The two examples that are given in this blog post explaining the feature are:

  • A CAPTCHA that asks the user to type the word only. When they press n, a save dialog is popped up, and then the user will immediately press l and then y, which is the keyboard shortcut for OK on some browsers, unintentionally confirming the download
  • A webpage that convinces the user to double-click somewhere on screen, positioned so that when the dialog opens after the first click, their mouse pointer is right over the "OK" button, meaning that they immediately confirm it.

By disabling the button for several seconds, the input has no effect.

Mozilla bug report about the issue

Trang Oul
  • 124
  • 1
  • 8
samgak
  • 2,078
  • 1
  • 8
  • 11
  • 20
    Also user can use extra time to actually check file name/type. Without ad-block you can accidentally download some evil .exe instead of actual content. I have not experienced input trick myself yet, but from time to time I delete "evil toolbar [32].exe" from my download folder ;) – PTwr Mar 21 '16 at 09:21
  • 12
    I'm finally enlightened. – Aloha Mar 21 '16 at 11:55
  • 89
    This an excellent answer and I just want to further add that [**users can also become numb to pop-up messages and confirmations**](http://ux.stackexchange.com/q/44609/45170). I would imagine that this slight delay can help mitigate those that have become numb. Anecdote: I was showing my dad how to use the web browser on an Android phone recently and some pop-up appeared and he hastily clicked OK; without a moment to spare he turns to me and asks "What did that say?". I am 95% confident that it had something to do with an expired SSL cert but we shall never know for certain. – MonkeyZeus Mar 21 '16 at 15:52
  • 5
    @MonkeyZeus That's pretty interesting behaviour. Did you ask why he clicked before reading it, since he apparently wanted to know what it was? – pipe Mar 21 '16 at 18:00
  • 1
    I'd also like to mention a feature in Windows that causes your mouse to automatically be moved to the default button of a window like that when it pops up. In that case, the delay prevents you from accidentally clicking OK if you were about to click anywhere on screen when it pops up. – Mike Kellogg Mar 21 '16 at 18:26
  • 21
    @pipe I may have inadvertently provoked his question "What did that say?" because I'm sure I gasped or muttered "wait" under my breath. Nevertheless, I think it still demonstrates the pop-up numbness. – MonkeyZeus Mar 21 '16 at 18:31
  • Uhm, isn't the OS supposed to prevent against unintended focus loss? Windows's focus loss prevention seems to work perfectly; Linux's is mediocre, not sure about Mac. Wouldn't this render it moot on Windows at least? – user541686 Mar 21 '16 at 22:36
  • 3
    @Mehrdad Err...I don't know where you got that from, but Windows's focus loss prevention is *far* from perfect. I get focus stolen quite frequently. Maybe it's different in Windows 10, but I don't use that. – Mike Kellogg Mar 22 '16 at 16:08
  • This reason seems like a quick hack as there are simple solutions for both of those problems. DOUBLE CLICK: prevent the window from aligning the yes button with the mouse. CAPTCHA: never focus on the download window so that you are always typing on the page – user1886419 Mar 22 '16 at 21:37
  • @MikeKellogg: Weird, I've found it to be basically perfect, and been so for as long as I can remember. I don't use Windows 10. I think it's only between different apps though, so if you're expecting it to work within a single app then maybe that's why? Or, how fast do you type? Maybe the built-in delay isn't right for your typing speed? It's actually more or less impossible to steal the focus in Windows from another app unless the other app lets you (the app with the current focus must call `AllowSetForegroundWindow` first)... in which situations have you had trouble? – user541686 Mar 22 '16 at 22:50
  • 1
    @Mehrdad Well, there was just now, when I was about to send a message in Skype, and some other program (presumably Firefox, I have reasons to assume such) popped up a message box just as I pushed Enter, so it immediately closed. – Mike Kellogg Mar 23 '16 at 04:00
  • @MikeKellogg: Interesting... was there a pause (like 1 second or more) before you pressed Enter, or was it as you were typing? – user541686 Mar 23 '16 at 04:14
  • @Mehrdad I believe I paused, but I've also had it happen in the middle of typing without pausing before, more commonly with the spacebar. – Mike Kellogg Mar 23 '16 at 04:21
  • @MikeKellogg: Not sure what to say honestly then, sorry. I've explicitly noticed it preventing focus loss so many times before that I've been surprised how well it works... – user541686 Mar 23 '16 at 05:57
  • Am I right if I say that there is not just the delay, but also all keyboard and mouse events are swallowed? Otherwise, the delay is (almost) pointless. – TheBlastOne Mar 23 '16 at 06:48
  • On the flip-side, it trains users to mindlessly click "OK" whenever a popup prompt shows up. – SnakeDoc Mar 23 '16 at 20:54
  • FWIW, I often have my active window's focus stolen by "nothing" (at least, nothing I can determine). I suspect it's some program or other that's minimized to my notification tray, reestablishing a network connection or something. It seems to happen most often if I have a lot of programs and/or browser tabs open, so it might be some kind of DWM glitch, too. – Dan Henderson Mar 23 '16 at 21:34
  • 1
    @Mehrdad Even if the OS does prevent against it, this is all an intentional focus shift, from the page to the element triggered by the page. I can't imagine any OS would protect against that. (And as with Mike, I've found that Windows doesn't have much focus loss prevention at all.) – Chris Hayes Mar 25 '16 at 01:49
  • Great to see comments on focus theft — how I hate it and it’s arrogance. – PJTraill Mar 26 '16 at 18:30
  • 2
    Surprisingly no one's mentioned this yet but this has a name: "clickjacking" (portmanteau of "click" and "hijacking" - can also be used for keypress hijacking, and can also occur with popup webpages, not just dialogs displayed by the browser itself). – micheal65536 Mar 27 '16 at 11:50
  • @pipe One possibility: he's used to clicking "OK," but since someone nearby might have some clue what the message means he realizes he may as well ask. Or, he realizes *after* clicking that it might have been important. – cpast Mar 27 '16 at 18:21
  • asblock wont protect you against malware. Not even malware scanners are able to do so. Only sharp thinking (brain.exe) can keep you safe – BlueWizard Apr 04 '16 at 13:35
16

Let's imagine that there's no delay, the default action for executable files is to open it, and there's some delay before the page requests the file download. In theory, you could accidentally run a virus if you were typing something at the exact time the dialog popped up. Incredibly rare, but I'm sure it's happened to someone somewhere.

Less maliciously, from a user experience standpoint, the user might be in the middle of pressing space or Enter right when the dialog pops up, therefore accepting the default, and possibly incorrect, action. The short delay prevents the user from accidentally selecting the wrong option.

While I doubt this feature was actually meant to protect anything (I'd rather trust my antivirus to that task), I find that I'm less likely to accidentally do the wrong thing with the file when the UI flushes my input and makes sure I actually meant to perform some action.

phyrfox
  • 5,724
  • 21
  • 24
  • 7
    Firefox never executes an exe file, at least not from that dialog. – David Balažic Mar 21 '16 at 15:48
  • 1
    It's only happened to me once that I can recall, but I definitely had a dialog appear once as I was typing, with exactly the right timing to catch my spacebar. I have no idea what it said. – Dan Henderson Mar 23 '16 at 21:35
  • 1
    "I'd rather trust my antivirus to that task" - I'd sooner try to avoid the problem occurring in the first place than rely on antivirus to clean up afterwards. (In other words, I would prefer a UI that helps to avoid drive-by-downloads than one that lets them happen and relies on antivirus software to stop them from doing any damage.) – micheal65536 Mar 27 '16 at 11:49
12

There is one thing that none of the other answers have mentioned: many users click OK and download without reading the popup window.

If a user were to download a malicious file accidentally (or was tricked into doing so), and clicks OK on instinct without reading and checking the file they are downloading, then they could miss important security information such as the size, filetype extension and location of the file about to be downloaded.

By disabling the OK for a few seconds, Firefox forces users to think twice and check what they are downloading.

angussidney
  • 230
  • 2
  • 9
  • 5
    Do you have any proof or is it just a pure guess that disabling the button for a few seconds makes users read the message? I am asking because there are dialogs intended to force users to read the contents like approving invalid certificate or agreeing to a license agreement. They use methods other than delay. – techraf Mar 22 '16 at 06:46
  • @techraf I do not have any proof (as in research papers etc) however from my own experience (I used to click OK all the time until I started using FF) and watching other FF first-timers (they do seem to actually read the popup after their first click) I can confirm that it does work. Note that [one of the answers](http://ux.stackexchange.com/a/44675/69736) in the question that MonkeyZeus linked to (under the accepted answer) states that breaking the flow of an application by introducing a delay or an additional step does make the user read. – angussidney Mar 22 '16 at 07:20
  • @techraf, What is the user to do in that second of delay... They will be looking at the dialog, and their brain will visualise the words, which may proceed to their consciousness sufficiently that they find themselves 'reading' some part of it. Or they could screw their eyes shut to be deliberately obtuse ;-) As long as the delay is sufficient to make the user 'sigh', and then click in a considered manner it's an improvement (in my risk/reward trade-off view). – Philip Oakley Mar 25 '16 at 12:45
  • @PhilipOakley Do you have any a reference to research results? – techraf Mar 25 '16 at 12:49
  • @techraf, unfortunately I don't have any specific references. Though there is lots of commentary about 'Lucky' people studies that show those with 'eyes open' (i.e. a wider view) and more lucky. As with most of these studies they are 'tricks'. You are asked one thing while they study another, e.g. read paper to see how often a sports person is mentioned but actually see if they notice the 'free money if you tell the researcher advert'!. Plus, the opposite postulate (screw up eyes) is clearly false, though they may just stare intently at the Ok button till it's no longer greyed out. Unlucky. – Philip Oakley Mar 25 '16 at 15:12
  • Anecdotally, I know at least one company very keen on one-click purchases because it encourages impulse purchase. This is the reverse, discouraging impulsiveness. I doubt it makes anyone read, but it might give conscious thought processes a shot. – Phil Lello Mar 25 '16 at 16:55
-3

Some programs can invoke keypresses into your web browser. Take a look at VBScript's SendKeys() method.

This method sends keys to the currently focused window, and can send buttons such as ALT, TAB, and/or ENTER.

In a Windows Forms Application, a malicious developer can implement the SendKeys.Send() method and do some bad stuff, such as Alt-tab over to Firefox and click "Ok" on a malicious download link.

DDPWNAGE
  • 193
  • 7
  • 10
    If they're at the stage where you're running their VBScript or Windows Form Application then they already have control of your computer and wouldn't need Firefox or any other browser to get more stuff on there – Matthew Steeples Mar 24 '16 at 09:37
  • also, they could avoid this by enabling the button from code – beppe9000 Mar 25 '16 at 11:59
  • Can't a page have VBScript embedded in it like a page can run JavaScript? Or, even, can't JavaScript access the same methods? – DDPWNAGE Mar 29 '16 at 23:06
  • 2
    @DDPWNAGE No. VBScript only ever worked in-browser in IE, and not even in IE11's Edge rendering mode. Even then, functions like `SendKeys()` never worked in browsers as far as I know, only in Windows Script Host. Just like you have a lot more access from a Node.js script than JS in the browser. The libraries and functionality is available in addition to the core language, and are only available in specific environments. – Bob Apr 01 '16 at 01:08
-4

I believe this is to make sure user see the dialog.
There are more attack vectors than the user typing trick that already described in other answers.
For instance USB HID based hacks. This is just some measure against both known and unknown attack vectors. Not just to patch particular set of known threat.

Curious Sam
  • 177
  • 2