You know those annoying pop-ups you sometimes get when trying to leave a website? “Are you sure you want to leave? Stay here for great offers!!!11” with two buttons, e.g. “Stay” and “Leave Anyway”, or just “OK” and “Cancel”. I don’t mean the pop-up ads that are designed to look like dialogue boxes but are actually just clickable links, I mean genuine dialogue boxes.
Or sometimes you get a dialogue prompting you to add kitteeepics.com or whatever as your homepage: “OK” or “Cancel”.
Can clicking the buttons on those trigger an action such as downloading a virus? Should they always be closed using the X in the corner rather than the buttons?
There is certainly nothing programmatically connecting the label on a button to its function, so you can easily have buttons that lie about their function. I think that any nasty thing that can be triggered by a button can be triggered without one so you’re probably not any worse off clicking the cancel button.
If the warning or question is generated by Windows it is a legitimate question and cancel means cancel. If however, the web page is masquerading as a windows pop-up then the button could do anything.
However, if the web page can bypass the automatic windows query (“Are you sure you want to run X…?”) then why would it bother asking, it can go ahead and install whatever crap or redirect you how it wants.
The specific “you are navigating away, do you want to stay” is IIRC a function designed to run when someone attempts to close the page. It tries to stop you leaving but there’s a limit to what it can do. (Worst case, reboot).
If you’re referring to a genuine windows dialogue box then yes you can click either “cancel” or “x” without worrying about being tricked into accepting some unwanted action, btw that doesn’t mean an some other unwanted action couldn’t happen like a crashed browser due to legitimately bad programming.
I’d also like to add that I am pretty sure that even a legitimate dialogue box could be exploited but it would rely on a serious hole in the browser or even windows but that’s for the most part not to worry about especially if you keep your software updated because stuff like that gets patched immediately and the security flaws that are undiscovered become susceptible to being patched be being used more often and being discovered.
Those particular dialogs (not really Windows dialogs, except they happen to be running in Windows) are shown by the web browser itself, so unless you’re using an untrusted browser, you can be certain the “Cancel” button will actually do what it says.
You’ve already covered the most dangerous case, when a website puts up an image that just looks exactly like a dialog box-- that just takes diligence on the part of the user. Unfortunately there’s not much Windows or the browser maker can do about those.
To answer the subject line of your question: if the dialog is a Windows dialog put up by a Windows application, it can have the “cancel” button do literally anything-- but then again, it could also have the close box in the corner do literally anything. Hopefully any malware will be screened-out long before it gets a chance to run a Windows executable, and hopefully you have security features like UAC running to minimize the potential damage if it does manage to run.