OK. So how many ways are there to use JavaScript to annoy the user?

Counting them all isn't very easy, and isn't worth our time. Following are a few of the more interesting ways that sites use JavaScript to annoy users.

context menu blocking.

Some pages use this IE feature because they want to be web applications instead of web pages and claim that they should be able to act like a normal windows application by responding to right clicks.

This is an interesting idea, but there are a whole bunch of problems. Not all computers have mice, let alone multi-button mice, further, not all browsers allow sites to control what happens when the user right clicks, and of course the DOM spec doesn't provide for this feature.

I think most normal users who run into sites which have js to respond to right clicks would confirm that most sites don't respond to context clicking with useful features but instead take some action to prevent users from saving images or other portions of content. perhaps popuping up alert("go away"), but whatever they do is certainly not in the interest of the user.

opening, closing, resizing, moving, and just about anything you can do to a window

window.open is covered by popup blocking. But what about the other window operations? there are uses for some of them. window.close is really only useful when paired with special dual window systems where the second window was opened by window.open. The other functions could be useful in rare instances but usually they'll just be annoying

fullscreen

What can one say about this? it's every web developer's dream and every security analyst's nightmare.

universalbrowserread

this gives applications full access to browser internals including the history object and the ability to accept drops (as in drag and drop).

OK, so what's so bad about universalbrowserread? well, it's dangerous if given to the wrong script, and the Mozilla interface doesn't explain what it does. so this is mostly a user education problem. it could be easily solved.

universalbrowserwrite

UniversalBrowserWrite lets a web app impersonate just about any visual trait, it can hide the window, move it off-screen, overfill the screen, make a window w/o a titlebar ... Again the big problem is user education.

universalfileread

Upload an arbitrary local file to a remote web server. this is obviously very powerful, and for the most part you don't see people running into problems with it, but the interface could be better.

universalfilewrite

Write to files on disk. Quite powerful, but way too broad. Compare with the java security policies for reading/writing to limited directories.

universalxpconnect

Access arbitrary xpcom components and do just about anything. Very powerful, but way too broad. It'd be much nicer if you could restrict which classes a script could use and actually have the restriction propogate to the callees.