I use Firefox and on Firefox this can be done by typing "about:config" (without the quotes) in the address bar, then searching for "dom.event.contextmenu.enabled" (without the quotes) and then double-clicking on the result to toggle its value from "true" to "false".
Sites like PhotoPea and Google Docs capture right-click to offer right-click menus more in line with what you'd expect from a desktop application. You could argue that other UX schemes can work without that, but since that's what a lot of people are used to, I'd say they count as valid use cases.
One example would be a browser game where left click places a block and right click removes a block. You wouldn't want the default context menu appearing every time you right-clicked.
...which works for, maybe, 60% of cases. Or you can try a more sophisticated one for greater success. e.g.:
javascript:(function(w){
var arr = ['contextmenu','copy','cut','paste'];
for(var i = 0, x; x = arr[i]; i++){
if(w['on' + x])w['on' + x] = null;
w.addEventListener(x, function(e){e.stopPropagation()}, true);
};
for(var j = 0, f; f = w.frames[j]; j++){try{arguments.callee(f)}catch(e){}}})(window);
Unfortunately, these don't work on 100% of the pages. Otherwise, as someone else has suggested, Firefox allows you to disable context menu hijacking for every site.
Related: I'd LOVE to know how to force standard ctrl + f behaviour on sites that override it.
Same for sites that override ctrl + left click (to open link in new tab - some sites will treat it like you simply clicked the link and open it in the same tab - super annoying).
In Firefox there is a permission for "keyboard shortcuts" or something similar. I've set the default value to disabled.
To do so:
- Open about:config
- Find or create permissions.default.shortcuts
- Set the value to 2 (BLOCKED) or 3 (PROMPT, not sure if that even works)
The changes should take effect immediately. If they don't, try restarting your browser.
You can then go into the page information dialogue (ctrl+I) and turn it back on for individual sites that need shortcuts to work well (like Google docs, maybe Discord).
Note that this might also affect shortcuts that do not conflict with your browser's shortcuts.
So the solution is to give the extension access to your banking site? Doesn't seem ideal.
Extension permissions still can't block an extension from making network requests if they have access to a site, right?
(Not implying this extension does something nefarious, but more the general risk of such extensions especially when we hear that sometimes extensions get sold or their authors accounts get compromised...)
You should definitely vet the developer before you install any software. I stake my reputation on my software, as a professional Mac developer for over 15 years. I'm pretty well known in that community, and my extension has also been well reviewed by the press.
What's the alternative? Of course recommendations from friends are the best, but professional software reviews in the news media are 100% more reliable than anonymous crowdsourced App Store reviews, which are easily faked or purchased, and even when they aren't fake, they're often totally ignorant.
I find it very sad that there are fewer software reviews in the news media now than there used to be. This makes it much more difficult for developers to get discovered.
Which part do you distrust exactly? If a software review has screenshots and describes features of an app, do you think that's all just... invented out of thin air?
I asked what part do you distrust exactly. "The...press" seems very hand-wavey and non-specific. When the argument starts with the premise that nothing the press says can ever be trusted, that's the route to denial of all facts and creation of your own reality. Did the stock market go up or down yesterday? Who can really say... because you can't trust the press!
> Anyway, I feel you're feeling some negative emotion here that's really just people interested in the security and privacy of their machine.
I'm very interested in security and privacy. In fact, StopTheMadness is designed to help protect your privacy. I use other 3rd party software to protect my privacy too, such as Little Snitch on the Mac (which incidentally is closed source, but the developers have earned their trust). I just think there's a distinction between prudence and paranoia, and I think it's counterproductive to fall into the latter, almost shooting oneself in the foot out of fear.
> So the solution is to give the extension access to your banking site? Doesn't seem ideal.
I use a dedicated browser for all types of banking as you can't be too careful. Also, I don't run any extension on it for this same reason of being careful.
I think you actually can. ;-) There's a difference between being prudent and living in fear. The former is of course good, but the latter can make someone miss out on a lot of good things in life. Including good software.
I completely agree. At least on Firefox there is an extension that restores right click and it is open source. If you want to be extra sure you can audit the code and package it yourself. This on the other hand appears to be closed source.
Even if it is benign now, there is no telling when it might be sold and new owners may have more nefarious intentions.
> Even if it is benign now, there is no telling when it might be sold and new owners may have more nefarious intentions.
I'll never betray the trust of my users, and anyway it's not going to be sold. Nobody has ever made me an offer, and it's unlikely that anyone could afford to acquire it. The extension is worth more to me as an indie dev than it would be worth to anyone else.
This is your thoughts right now. If a real tangible offer came through for 10s of millions of dollars, would you still feel that way? What about when you die or become permanently offline for some other reason? Will your family sell it to the lowest bidder, delist it, or just leave it to bit rot?
These are things everyone has to/should consider when granting software unfettered access to their machine.
You could just ask me questions without associating yourself with Satan. ;-)
> If a real tangible offer came through for 10s of millions of dollars, would you still feel that way?
I would definitely sell for 10s of millions of dollars! Indeed, I would sell for 1 million dollars. But nobody is going to offer me that LOL.
> Will your family sell it to the lowest bidder, delist it, or just leave it to bit rot?
They would have to leave it to "bit rot", because my source code is encrypted, and nobody else has my passwords. (The extension has no server component and should continue working fine indefinitely with no updates.)
Presumably if lots of people trust your extension with access to their banking website, a nefarious actor could make steal more money to make that price worthwhile.
Well, assuming they can transfer money out of people's accounts and get away with it, which obviously requires additional effort.
To be clear, I wouldn't sell to [unknown criminal] for any amount of money, because I'm not a criminal myself, and I can't be turned into a criminal.
I would sell to [known BigCo] for a million dollars. But BigCos aren't interested in my software, so that's a non-issue.
If a criminal offered me millions of dollars, I would report them to the FBI. And I think this whole discussion is just ultra-paranoia.
withinboredom claims but refuses to name a supposed malware extension with millions of users. Not sure I believe this astounding story.
I don't even aspire to be rich, or even to retire. That sounds pretty boring to me. I'd rather work on something socially useful. But financial security would be nice.
One of my friends got offered 8 million for an extension a few years ago. The new owners put malware in it. Meanwhile, he’s still sailing around the Mediterranean on his yacht with his family…
This is exactly the kind of thing people are worried about.
I’ve been asked not to share the name. It wasn’t a big extension though, only a few million installs.
FWIW, they put it up for sale as a lark, not intending to actually sell it, on some business sales/acquisitions/mergers site and got more than their asking price.
Asked by whom? Your (hopefully former?) friend who sold out millions of people for malware? Are those millions of people aware that they were infected with malware? Not sure how this can be a secret.
> It wasn’t a big extension though, only a few million installs.
I use it all the time, is there a built in way(no extensions) to also force text to be selectable? ATM I need to find the css rule that disables select and siable it from dev tools
My wildly-speculative guess: some executive saw someone use “Inspect Element” and hosted an urgent meeting about how to solve this security risk. Rather than try to explain why it’s not a security risk, the dev team just placated the exec by saying “we could just disable right-click.”
Actually, I've seen many videos of Indian scammers using "inspect element" to generate some fake "accidental money transfers" on their victim's bank account. They'll invent some way to make their victims believe that they've done something wrong and that they've received too much of a "refund" and then they'll either go the "I'm going to lose my job please send back the 30,000" card or the "this is a crime, the fbi will call you if you don't cooperate" card.
Making it difficult to inspect element+replace value might actually be worth the effort. I've seen a Kitboga video where a simple transparent div covering the entire page had the scammed stumped for minutes because they didn't actually understand HTML.
It certainly doesn't prevent viruses, but for scams it may just be enough to save some people.
To inspect element one can just open the developer tools from the menu or the shortcut key, and then use the "inspect" tool from there, this bypasses the context menu block.
I suppose low level hindrances are sufficient to block low-level intruders...
This might actually accidentally be an argument for this approach, because the amateur scammers get frustrated at the very least but actual developers are capable of doing whatever they want.
It's a tricky trade-off. I don't think it's worth the effort and inconvenience to block the right click menu, but in the fight against scammers I can see why someone would see otherwise.
In the old days (CompuServ and AOL era of the internet) a lot of sites used it as an easy way of reducing the number of 'right click, save picture' type visitors. It never stopped the determined but reduced it by at least 90%. I have no idea why it is used today though.
I just saw someone request that the creator of a photo sharing site disable right-clicks for the same reason last month on reddit. I think I talked them out of it.
Probably some combination of security theater and well-intentioned but shallow, nearsighted and misguided attempt to increase security by reducing a perceived attackable surface area (i.e. likely somebody got scared with "View source" or something like that).
A lot of Japanese lyric websites disable right click. My hypothesis is because the Japanese Collection Society have very backward thinking about sharing lyric.
Add 'tamper monkey' extension to your browser and look through the source what class to remove from elements you are interested about.
Above comes with disclaimer, I personally don't allow any extensions in browser I use for banking. A little bit paranoid but I prefer to reduce plain of attack when accessing my bank (of course there are other threats that may bring more severe risk, remove them one at a time :) ).
if you go back to the first few commits you see it started similar to some of the small JS snippets people have suggested here. It is interesting to see how it has evolved
I always used xdotool to get around "you can't paste here". I may not be able to paste, but you didn't check the attestation signature on my keyboard!!!
