dive into mark

After 10 months, 17 rounds of patch and review, and two last-minute corrections, bug 83265 has landed. Firefox 3 will include an option to block timed redirects (a.k.a. META refresh tags). By default, Firefox 3 will act like Firefox 2, i.e. it will respect META refresh tags as it always has. But now the end user will have the option to block them:

I can not stress enough that this checkbox is off by default. Users who install or upgrade to Firefox 3 will not see any difference unless they intentionally select this checkbox to turn the warnings on.

This is primarily an accessibility feature. Browsers are supposed to allow users to control all timeouts, but Firefox has never provided a way to control timed redirects. This is not a theoretical problem. Millions of web pages use timed redirects, and blind users who use text-to-speech software get confused when the page changes before the software has a chance to read the explanation of what’s about to happen.

If you turn this option on and go to a page that uses a timed redirect, you will see a notification bar at the top of your browser window:

As the notification bar says, the browser has completely blocked the timed redirect. The page will not redirect automatically, no matter how long you wait. You must press the “Allow” button, at which point it will immediately redirect to the target page without any further delay.

Geeky technical footnotes:

• The notification bar is exposed to assistive technologies as an ALERT, so it will be read immediately by compatible text-to-speech software.
• If it looks familiar, that’s because it’s the same sort of notification bar you get when Firefox blocks a popup window.
• If you have multiple types of notifications (like a page that tries to open a popup window and redirect you), they will stack visually and queue aurally.
• The “Allow” button is in the tab order and can be accessed by AccessKey + A.
• The option is global; it affects all sites. If you want site-specific control, download an extension like RefreshBlocker.

§

Twenty comments here (latest comments)

1. Great news to many, I guess. An improvement for someone else is an improvement for me.

   — David Naylor 

2. I’m gonna like this. Thanks for pointing it out.

   — Devon Young 

3. What about location.reload() from JS? (Yeah, I should have probably read the bug… ;)

   — marcoos 

4. No, blocking JavaScript-based redirects was out of scope for this bug. Use an extension like NoScript.

   — Mark 

5. How long have you been hacking on Firefox Mark?

   — Noah Slater 

6. Will this cover the (admittedly rare) case where the Refresh: header is sent as an HTTP header and not <meta http-equiv…>?

   — epc 

7. Answering my own question, it looks like the code should cover the case of Refresh: being sent in an HTTP header.

   — epc 

8. Hurrah! Well done, Mark, and thanks for your patient and persistent efforts.

   — Mike Beltzner 

9. That is way cool! I’m glad for that news. When is 3.0 going into general release? I have one site that I have to use Dillo to visit, because if I use NoScript to block all their pop-up ads, then the redirect takes me away from the content to a “your browser is not letting you sign in…” page. Fortunately, Dillo does not have JS and it doesn’t automatically redirect either.

   — W^L+ 

10. 1. Why isn’t the option in about:config? (it reminds me of Moz Suite UI clutter)

    2. Why doesn’t the altert bar say to WHICH URL the redirect goes?

    (sorry, if this is explained in the bug)

    — Peter Lairo 

11. I noticed that about half of the comments associated with your patch revolved around the formatting of the source code – have these people never heard of code beautification tools? There are tons of them, and they can eliminate most of these discussions by automating away the committers’ neuroses preferences and fixing whitespace discrepancies.

    If I were you, I would have told “BZ” to “FOAD” somewhere around comment #58:

    BZ: “no, really, why not combine these onto one line?”

    DJ: “holy christ wearing flip flops, dude – combine the two lines if that’s what you want. just apply my patch and let’s end the presidential debate.”

    — DJ 

12. » AlastairC (pingback)

13. [10] Read this: http://kb.mozillazine.org/Accessibility.blockautorefresh

    — JasnaPaka 

14. Thanks, Mark!
    I certainly will use this feature. I always find it annoying when websites are suddenly refreshing while I’m reading some text.

    — Martijn 

15. Looks great.

    One suggestion for a future version: show at least part of the [sanitized] URL to the user, a la:

    Firefox prevented this page from redirecting to: “http://ugly.example.com/blah29320…”

    That would make it much easier to decide whether to click ‘Allow’.

    (Sorry, I haven’t set up a Bugzilla account yet to submit the suggestion there…)

    — Steve B. 

16. For what little it may be worth, the refreshblocker addon does not block Refresh: when sent as an HTTP header, only <meta refresh>

    — epc 

17. Around the web | alexking.org (pingback)
18. » links for 2007-02-12 / mattwalters.net (pingback)

19. I agree with Steve B, that would be really useful…

    — optimointi 

20. Firefox 3 Will Let You Blok META Refresh on The uber geeks (pingback)

Respond privately

I am no longer accepting public comments on this post, but you can use this form to contact me privately. (Your message will not be published.)

§