Today I read one more story about pop-ups getting past our blocker (though I saw no pop-ups at either of those sites) and decided that given the recent spate of these claims, it was worth trying to do something about it. We are still #1 when it comes to defeating unwanted pop-ups, but we'll have to keep a close eye on the enemy if we're going to stay ahead. So if you're using the latest nightly branch builds of Firefox and you see pop-ups happening that you didn't request, please visit Bugzilla bug 253831 and provide information about the site where you saw the problem. If we find there are new and common techniques that are getting around our blocker, we'll try to seal off those avenues of attack.
Posted by asa at July 31, 2004 06:29 AMMight be worth looking at some of the bugs blocking bug 176958, which is an old attempt at tracking this kind of thing.
Posted by: michaell on July 31, 2004 07:01 AMI've actually had a few of these, can't remember where though :(
Will keep it in mind the next time I see one.
Posted by: Tom Sommer on July 31, 2004 07:30 AMI get popups too at http://www.sitepoint.com/ (click around and it appears). Not sure how they do that though, even after investigating for a bit.
Posted by: Cheah Chu Yeow on July 31, 2004 07:39 AMhttp://forums.mozillazine.org/viewtopic.php?t=107681
http://www.sportsline.com/nfl/story/7538370
http://bugzilla.mozilla.org/show_bug.cgi?id=253769
http://bugzilla.mozilla.org/show_bug.cgi?id=240246
I can confirm that the sportsline.com site shows a popup that gets past Firefox 0.9.1+ 20040730 in Windows.
Posted by: Neil T. on July 31, 2004 08:29 AMAnd sitepoint also.
Posted by: Nanaki on July 31, 2004 09:28 AMThe one at sports line looks at your cookies and then pops it up if it's your first time there. To see it again, delete the www.sportsline.com and sportsline.com cookies.
The code that actually does it is at the bottom of the HTML. It uses 2 's to pull it off (I'm not sure it's required but it's worth looking at)
The first one defines the function that eventually calls the popup. function Poll() { }
In the second script tag after it, it just runs this code:
Now one thing you'll notice is that this code isn't called from an onLoad event. It's just placed into the body of the html. Maybe that's whats causing it to popup.
Bah, your blog stripped the code.
<script language="JavaScript">
<!--
Poll();
//-->
</script>
I've been finding that some sites seem to uncheck the block popups option.
I know some of them are lyrics web sites but i haven't been able to narrow it down to which ones exactly.
Here is a pretty simple way to fool the popup blocker in Mozilla. The idea is to use a real link with target="_blank" that opens the ad and make the real page be opened using the onclick handler.
[a href="http://webfx.eae.net" target="_blank" onclick="window.setTimeout( function () { document.location='http://erik.eae.net' }, 10 )"]Popup[/a]
I'm not sure what the solution would be but I guess preventing setting document.location in a non user initiated action might solve it. Mozilla already prevents the obvious case where no timert is being used.
Posted by: Erik Arvidsson on July 31, 2004 11:27 AMComcast.net's webmail is a big offender. I now have to put "mailcenter.comcast.net" into the address bar *twice* (once, then it redirects, and I put it in again) to avoid their latest full-screen ad. They use flash for their lefthand navigation bar to try to lock you in.
Posted by: PurifyYourMind on July 31, 2004 11:42 AMAnother way to trick the pop-up blocker is to use write the content with document.write to an iframe, see (has a testcase):
http://bugzilla.mozilla.org/show_bug.cgi?id=187255
Not exactly a popup but more of a spyware through .xpi :/
Mozilla is being taken seriously I'm afraid ;|
Posted by: AC on July 31, 2004 03:45 PMI usually have no problems with false negatives. False positives, on the other hand, are quite common, usually (if not always) when a page is still loading.
Posted by: Greg K Nicholson on July 31, 2004 06:13 PM>We are still #1 when it comes to defeating unwanted pop-ups
We are still #1 when it comes to defeating wanted pop-ups too ;)
In fact we're #1 in many areas.
Greg - that's by design.
Posted by: Doug on August 1, 2004 05:30 AMSpeaking of popups, Asa, is it possible to change the comments from a popup to a page-view? As it is, to avoid a popup, one has to open the link in a new tab, and then either close the original tab, or keep browsing elsewhere, which is almost as bad. One should be able to click the link and keep it in-window and in-tab if one wants.
Posted by: Grey Hodge on August 1, 2004 08:04 AMGrey, instead of clicking on the link that says "Comment (n)", just click on the link before that which is labeled with the time of the post, like "06:29 AM". That takes you to the permalink for the post which has the original post, all of the comments, and a comment box down at the bottom.
I've been meaning to move the comment count, the "(n)" part of the pop-up link, over to the date link and just remove the pop-up link. Maybe this weekend.
--Asa
Posted by: Asa Dotzler on August 1, 2004 08:24 AMYou know, I was going to mention something about this yesterday but didn't know who to tell about it. I was at some site yesterday and the moment I clicked and dragged my cursor (I was intending to copy-n-paste something), a pop up window showed up.
So I'm thinking some of these places might've gotten a brilliant idea to pop up windows based on user interaction of various kinds, since Moz/Firefox only blocks unrequested pop ups? It's a theory I haven't tested.
Posted by: Devon on August 1, 2004 11:25 PM