Jay Taylor's notes

back to listing index

Ask HN: How to disable right-click blocking in the browser | Hacker News

[web search]
Original source (news.ycombinator.com)
Tags: bookmarklet firefox right-click about:config news.ycombinator.com
Clipped on: 2023-11-13

Image (Asset 1/2) alt=
Image (Asset 2/2) alt=
I use Firefox and on Firefox this can be done by typing "about:config" (without the quotes) in the address bar, then searching for "dom.event.contextmenu.enabled" (without the quotes) and then double-clicking on the result to toggle its value from "true" to "false".


The downside here is that there are still plenty of legitimate uses for capturing right-click, and this fix will impede operation of those.

I'd go with a bookmarklet style approach suggested by other top-level comments.


What are these valid use cases?


Sites like PhotoPea and Google Docs capture right-click to offer right-click menus more in line with what you'd expect from a desktop application. You could argue that other UX schemes can work without that, but since that's what a lot of people are used to, I'd say they count as valid use cases.


One example would be a browser game where left click places a block and right click removes a block. You wouldn't want the default context menu appearing every time you right-clicked.


I use a bookmarklet. It can be something basic, such as:

    javascript:void(document.oncontextmenu=document.onMouseDown=()=>true)
...which works for, maybe, 60% of cases. Or you can try a more sophisticated one for greater success. e.g.:

    javascript:(function(w){
        var arr = ['contextmenu','copy','cut','paste'];
        for(var i = 0, x; x = arr[i]; i++){
            if(w['on' + x])w['on' + x] = null;
            w.addEventListener(x, function(e){e.stopPropagation()}, true);
        };
        for(var j = 0, f; f = w.frames[j]; j++){try{arguments.callee(f)}catch(e){}}})(window);
Unfortunately, these don't work on 100% of the pages. Otherwise, as someone else has suggested, Firefox allows you to disable context menu hijacking for every site.


Try making it immutable object


?


Related: I'd LOVE to know how to force standard ctrl + f behaviour on sites that override it.

Same for sites that override ctrl + left click (to open link in new tab - some sites will treat it like you simply clicked the link and open it in the same tab - super annoying).


In Firefox there is a permission for "keyboard shortcuts" or something similar. I've set the default value to disabled.

To do so:

- Open about:config

- Find or create permissions.default.shortcuts

- Set the value to 2 (BLOCKED) or 3 (PROMPT, not sure if that even works)

The changes should take effect immediately. If they don't, try restarting your browser.

You can then go into the page information dialogue (ctrl+I) and turn it back on for individual sites that need shortcuts to work well (like Google docs, maybe Discord).

Note that this might also affect shortcuts that do not conflict with your browser's shortcuts.


I use F3 for this, I don't know if it's possible but I've never seen a website hijack F3.


As a workaround CTRL+L CTRL+F usually opens the regular find bar.


Many browsers support ctrl + g to open the "find" input.


[self-promotion] My extension StopTheMadness stops this (supports all web browsers on macOS): https://underpassapp.com/StopTheMadness/


So the solution is to give the extension access to your banking site? Doesn't seem ideal.

Extension permissions still can't block an extension from making network requests if they have access to a site, right?

(Not implying this extension does something nefarious, but more the general risk of such extensions especially when we hear that sometimes extensions get sold or their authors accounts get compromised...)


You should definitely vet the developer before you install any software. I stake my reputation on my software, as a professional Mac developer for over 15 years. I'm pretty well known in that community, and my extension has also been well reviewed by the press.


I was with you right until the end.


Would you rather install unknown software that hasn't been reviewed?


I think it was probably moreso the mention of "press" as the reviewers.


What's the alternative? Of course recommendations from friends are the best, but professional software reviews in the news media are 100% more reliable than anonymous crowdsourced App Store reviews, which are easily faked or purchased, and even when they aren't fake, they're often totally ignorant.

I find it very sad that there are fewer software reviews in the news media now than there used to be. This makes it much more difficult for developers to get discovered.


Discovery isn't the problem with these tools — it's trust.

I don't trust MacRumors or PC World to vet...anything.

I do sorta trust...I dunno...EFF. Bunnie. yadda yadda.


Which part do you distrust exactly? If a software review has screenshots and describes features of an app, do you think that's all just... invented out of thin air?


The...press. Is this thing on?

Anyway, I feel you're feeling some negative emotion here that's really just people interested in the security and privacy of their machine.


> The...press. Is this thing on?

I asked what part do you distrust exactly. "The...press" seems very hand-wavey and non-specific. When the argument starts with the premise that nothing the press says can ever be trusted, that's the route to denial of all facts and creation of your own reality. Did the stock market go up or down yesterday? Who can really say... because you can't trust the press!

> Anyway, I feel you're feeling some negative emotion here that's really just people interested in the security and privacy of their machine.

I'm very interested in security and privacy. In fact, StopTheMadness is designed to help protect your privacy. I use other 3rd party software to protect my privacy too, such as Little Snitch on the Mac (which incidentally is closed source, but the developers have earned their trust). I just think there's a distinction between prudence and paranoia, and I think it's counterproductive to fall into the latter, almost shooting oneself in the foot out of fear.


> Did the stock market go up or down yesterday? Who can really say... because you can't trust the press!

Depending on which stocks are doing well and which aren't, and why, you'll absolutely get the news framed differently publication to publication.


Correct.

Corporate press has proven itself unreliable and bought.


> So the solution is to give the extension access to your banking site? Doesn't seem ideal.

I use a dedicated browser for all types of banking as you can't be too careful. Also, I don't run any extension on it for this same reason of being careful.


> you can't be too careful

I think you actually can. ;-) There's a difference between being prudent and living in fear. The former is of course good, but the latter can make someone miss out on a lot of good things in life. Including good software.


Same. I use GrapheneOS profiles for this.


I completely agree. At least on Firefox there is an extension that restores right click and it is open source. If you want to be extra sure you can audit the code and package it yourself. This on the other hand appears to be closed source.

Even if it is benign now, there is no telling when it might be sold and new owners may have more nefarious intentions.


> Even if it is benign now, there is no telling when it might be sold and new owners may have more nefarious intentions.

I'll never betray the trust of my users, and anyway it's not going to be sold. Nobody has ever made me an offer, and it's unlikely that anyone could afford to acquire it. The extension is worth more to me as an indie dev than it would be worth to anyone else.


Just playing Devil’s Advocate.

This is your thoughts right now. If a real tangible offer came through for 10s of millions of dollars, would you still feel that way? What about when you die or become permanently offline for some other reason? Will your family sell it to the lowest bidder, delist it, or just leave it to bit rot?

These are things everyone has to/should consider when granting software unfettered access to their machine.


> Just playing Devil’s Advocate.

You could just ask me questions without associating yourself with Satan. ;-)

> If a real tangible offer came through for 10s of millions of dollars, would you still feel that way?

I would definitely sell for 10s of millions of dollars! Indeed, I would sell for 1 million dollars. But nobody is going to offer me that LOL.

> Will your family sell it to the lowest bidder, delist it, or just leave it to bit rot?

They would have to leave it to "bit rot", because my source code is encrypted, and nobody else has my passwords. (The extension has no server component and should continue working fine indefinitely with no updates.)


Presumably if lots of people trust your extension with access to their banking website, a nefarious actor could make steal more money to make that price worthwhile.

Well, assuming they can transfer money out of people's accounts and get away with it, which obviously requires additional effort.


To be clear, I wouldn't sell to [unknown criminal] for any amount of money, because I'm not a criminal myself, and I can't be turned into a criminal.

I would sell to [known BigCo] for a million dollars. But BigCos aren't interested in my software, so that's a non-issue.

If a criminal offered me millions of dollars, I would report them to the FBI. And I think this whole discussion is just ultra-paranoia.

withinboredom claims but refuses to name a supposed malware extension with millions of users. Not sure I believe this astounding story.

I don't even aspire to be rich, or even to retire. That sounds pretty boring to me. I'd rather work on something socially useful. But financial security would be nice.


One of my friends got offered 8 million for an extension a few years ago. The new owners put malware in it. Meanwhile, he’s still sailing around the Mediterranean on his yacht with his family…

This is exactly the kind of thing people are worried about.


> One of my friends got offered 8 million for an extension a few years ago. The new owners put malware in it.

Which extension?

Was this in the news? There aren't actually that many really big extensions.


I’ve been asked not to share the name. It wasn’t a big extension though, only a few million installs.

FWIW, they put it up for sale as a lark, not intending to actually sell it, on some business sales/acquisitions/mergers site and got more than their asking price.


> I’ve been asked not to share the name.

Asked by whom? Your (hopefully former?) friend who sold out millions of people for malware? Are those millions of people aware that they were infected with malware? Not sure how this can be a secret.

> It wasn’t a big extension though, only a few million installs.

That's big!

Apparently there are only 300some Chrome extensions with over a million users. https://www.debugbear.com/blog/counting-chrome-extensions

My user base is orders of magnitude less, so I wouldn't worry about my selling out for $millions.


Was just going to recommend Stop the Madness!


Using Firefox, Shift-Right click shows the context menu. After that you can do your usual inspect etc.


I use it all the time, is there a built in way(no extensions) to also force text to be selectable? ATM I need to find the css rule that disables select and siable it from dev tools


Reader view (F9 in Firefox) might solve the problem, though not as seamlessly as would be ideal.


Is there even proven benefits of blocking right click security wise? I wonder what is the rationale behind these decisions?


My wildly-speculative guess: some executive saw someone use “Inspect Element” and hosted an urgent meeting about how to solve this security risk. Rather than try to explain why it’s not a security risk, the dev team just placated the exec by saying “we could just disable right-click.”


Actually, I've seen many videos of Indian scammers using "inspect element" to generate some fake "accidental money transfers" on their victim's bank account. They'll invent some way to make their victims believe that they've done something wrong and that they've received too much of a "refund" and then they'll either go the "I'm going to lose my job please send back the 30,000" card or the "this is a crime, the fbi will call you if you don't cooperate" card.

Making it difficult to inspect element+replace value might actually be worth the effort. I've seen a Kitboga video where a simple transparent div covering the entire page had the scammed stumped for minutes because they didn't actually understand HTML.

It certainly doesn't prevent viruses, but for scams it may just be enough to save some people.


To inspect element one can just open the developer tools from the menu or the shortcut key, and then use the "inspect" tool from there, this bypasses the context menu block.

I suppose low level hindrances are sufficient to block low-level intruders...


This might actually accidentally be an argument for this approach, because the amateur scammers get frustrated at the very least but actual developers are capable of doing whatever they want.

It's a tricky trade-off. I don't think it's worth the effort and inconvenience to block the right click menu, but in the fight against scammers I can see why someone would see otherwise.


In the old days (CompuServ and AOL era of the internet) a lot of sites used it as an easy way of reducing the number of 'right click, save picture' type visitors. It never stopped the determined but reduced it by at least 90%. I have no idea why it is used today though.


I just saw someone request that the creator of a photo sharing site disable right-clicks for the same reason last month on reddit. I think I talked them out of it.

https://www.reddit.com/r/AnalogCommunity/comments/uw9fne/spe...


Probably some combination of security theater and well-intentioned but shallow, nearsighted and misguided attempt to increase security by reducing a perceived attackable surface area (i.e. likely somebody got scared with "View source" or something like that).


A lot of Japanese lyric websites disable right click. My hypothesis is because the Japanese Collection Society have very backward thinking about sharing lyric.

https://www.techdirt.com/2010/03/03/japanese-collection-soci...


Add 'tamper monkey' extension to your browser and look through the source what class to remove from elements you are interested about.

Above comes with disclaimer, I personally don't allow any extensions in browser I use for banking. A little bit paranoid but I prefer to reduce plain of attack when accessing my bank (of course there are other threats that may bring more severe risk, remove them one at a time :) ).


I use a great Google Chrome extension called Allow Right Click that defeats that. Preventing right click is almost as asinine as preventing copying.


I also use this extension. It works on firefox as well.

Code is also on github if you want to learn from it: https://github.com/lunu-bounir/allow-right-click

if you go back to the first few commits you see it started similar to some of the small JS snippets people have suggested here. It is interesting to see how it has evolved


In Firefox, holding shift while right clicking works most of the time. It display the default context menu regardless of the website.

For ins.tance you can shift right click a video to use picture in picture on Youtube


I always used xdotool to get around "you can't paste here". I may not be able to paste, but you didn't check the attestation signature on my keyboard!!!


Ahh, I knew it was one of the x-tools that did this, but I didn't know the exact one, thanks! Might as well map ctrl+b to xdotool type (xsel -b).


You can't.

You can try, but you can't. The only people you'll stop are non-tech users, and the others will shame your business for playing this game.

If you need an analogy, think of it as trying to disable screenshots in an environment where users carry a camera in the other hand...


Ctrl + Shift + Right click force it to work in almost 99% of the time against right-click blockers in Firefox.

Don't have an exemple of when it would have failed :-)


window.addEventListener("contextmenu",function(e) { e.preventDefault(); //e.stopPropagation(); },false);


I remember when you could right click and hit enter at the same Time to still get a context menu


Absolute Enable Right Click & Copy Chrome extension.


uBlock Origin adds a Block Element menu to the context menu.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: