I think this issue signals a problem with the UI in Chrome or Firefox, or any browser that creates this kind of popup. The problem is that, by placing the popup above the webpage contents, the webpage creators can mimic that native UI and create the same effect with the page contents themselves, and you don't know if the popup was created by the browser itself or if it's part of the webpage.
I think the problem could be solved by modifying the UI in the browser in such a way that you don't allow the webpage to create a similar popup because there would be a visual barrier that clearly indicates when the popup is part of the browser itself and when it's not.
Well specifically speaking on this example. In order to install chrome extension like this pop-up, it will redirect to chrome extension gallery page. So if the pop-up is doing something other than that, it should trigger a WTF meter in your head.
To install a chrome extension you have manually install it by clicking "ok", even after that if it accesses your private browsing data (which is the only thing Chrome extension has access to) you will get a second warning, making sure you understand this. Even after that, Chrome extension runs on its own process, seperate from each tabs (which runs in its own process). And each of those process runs on its own sandbox.
Lets even leave all that out of consideration, and that javascript is being used by some very popular websites, includeing huffpo, independent and some random sites I encountered but don't remember right now.
The problem is that the browser owned control bar is right next to the web content. It's good for usability (quick to reach with mouse), but opens the door for trickeries like click jacking (that's actually why there's a countdown when you want to install an extension in firefox).
I filed a related bug a year ago at Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=497388
but it didn't get anyone busy (no offense). We probably have to wait until browser extensions are more common place and these kind of UI vulnerabilities get exploited on a regular basis.
you should know that we added that this morning, it was built by the the guys at idiomag.com, as is the javascript. Once we realised that it could potentially confuse or "trick" people we removed it.
Really, what excuse could you have had for including such content in the first place, other than malicious intentions? Surely you review all content before placing something on your pages, right?
I'm not buying this feigned innocence. It's like listening to Zynga say giving Farmville credits for users to sign up for trial offers is perfectly legitimate. They know perfectly well the revenue generated by getting thousands of users to sign up for free trials of stuff that is impossible to stop before the bill gets charged to your card is generating more money than legitimate ads/networks.
You're using illegitimate ad networks because it pays a higher CPM period. Just admit to it so we can blackhole your domain without bullshitting us.
Jesus, are you serious? You really think we want to scam our readers? Dude seriously sort your shit out and learn to trust a little, have a little faith.
And no, we didn't review the javascript bar that was placed at the top of all our pages but as soon as we saw what it looked like, we removed it.
And what illegitimate ad networks?? We use Google Adwords and Federated Media!
Don't go making accusations like that until you've got your facts straight.
And seriously, where did you get such distrust and anger? Ridiculous.
Ah, did not know that... imitation = flattery but that's so so close. Well, now I know.
Can I just say again, how impressed I am at how quickly you responded to all this and took appropriate measures. I could see this locked up in processes and such for days at other organizations.
I think the problem could be solved by modifying the UI in the browser in such a way that you don't allow the webpage to create a similar popup because there would be a visual barrier that clearly indicates when the popup is part of the browser itself and when it's not.