So after someone mentioned Hangul on another SE site, I just felt like watching another few Korean lessons. Came across a video that I liked, and the author finished with the (usual) more-on-my-website closing. Although the domain name looked a bit funny (koreangirlinsg.com), I figured why not, could as well look. Worst thing to happen is it’s a date site (which I kinda half-assumed from the name). But maybe that woman is just bad at choosing domain names.
Turns out it’s one of those entirely blank portal sites that display “click to proceed” as the first thing. Well, OK, whatever. I feel some disappointment coming up, but let’s not just abandon all hope. Click.
Next, Firefox pops up a notification saying “Firefox stopped this site from installing software on your computer, do you want to proceed? Yes, no.”
Wait a moment. Now, this is a surprise.
Basically every setting that I know about which allows something or does something extra, not just in the browser but on the computer is set to “No”. Components that I’m not using (which is about 50% of Windows) were removed from the install medium with NtLite prior to setup.
My browser has scripting blocked at all times, with the exception of 2-3 whitelisted sites, also I have everything that counts as “extra smart shit” which isn’t absolutely necessary for displaying a website turned off. Anything I don’t know, turned off. Anything I do know but don’t absolutely need, turned off. Adblocker including all available ad, badware, social, and annoyance filters running, not making an exception for anyone. No Flash plugin or the like installed (even the browser-supplied H264 codec is disabled because I’m not sure why I’d need it).
So the apparently naive assumption is that the browser shouldn’t generally do much but display HTML (with broken layouts, which I’m willing to accept) and load some images.
Nevertheless, it is apparently still very straightforward for a random, untrusted site to install software. And most notably, not via an exploit, but via a method that Firefox obviously deems a very acceptable, viable option (it proudly tells you it didn’t just do it yet, but still asks whether you want to proceed). Makes you somehow think of Internet Explorer 20 years ago.
Apparently, there is an explicit “install haphazard software on computer” functionality built directly into HTML that I’m not aware of, and browsers support it?
What would be the rationale for such feature?
[And maybe more importantly, how do you turn this off for good?]