March 04, 2005
blocking those flash pop-unders with firefox
There's been quite a lot of buzz around the blogs the last couple of weeks with people seeing the return of the pop-ups and pop-unders. It looks to me like the overwhelming majority of these are from plug-ins, mostly flash.
A number of pundits and bloggers have been wondering aloud whether or not we'll be able to keep up with the pop-up spammers now that more of them are focused on us. Well, we shipped 1.0 with the capability to block these pop-ups and pop-unders but we didn't enable it because we were concerned about breaking legitimate uses. If you'd like to turn it on, it's a fairly simple change -- and would be absolutely trivial for us to enable once we determine whether or not lots of websites are depending on the feature.
To block pop-ups from plugins, open your Firefox 1.0 or 1.0.1 browser, type about:config in the address field. Right-click in the resulting config page somewhere and select New -> Interger. Type privacy.popups.disable_from_plugins in the resulting dialog, hit OK, type 2 in the next dialog and you're all set.
This pref can actually take three values:
- 0: open allowed
- 1: the opened windows are treated as popups, but they're allowed to open (we limit the number of these types of popups)
- 2: the window is a popup, block it
If you turn this on, please let me know how it works for you so we can make the decision about offering it to users who aren't likely to be hacking in about:config.
Posted by asa at March 4, 2005 03:38 PM
I've been using privacy.popups.disable_from_plugins=2 for a week or two. I've already encountered two sites that failed because of it. One was http://birthday.yahoo.com/netrospective/. In the Flash version of Netrospective, click a picture and then try to click a red link in its description. You'll get a "pop-up blocked" icon instead of a window with the link.
Internet Explorer seems to have a better solution -- one that blocks unrequested Flash popups but allows requested Flash popups. Firefox needs a better solution too.
I was wondering why I wasn't seeing these pop-ups everyone was grousing about, and now I know. I've been using FlashBlock.
I just installed the flashblocker extension (I was really glad to see that it works with Mozilla as well as Firefox), because I got sick of all the noise that flash ads were making.
So if these new pop-up and pop-under ads are initiated from flash, I'm safe unless I deliberately start a particular flash that implements them.
As far as the previous comment goes, I wonder how IE is able to distinguish between a requested plugin popup and an unrequested one. I assume that the plugin uses the same API in both cases to create the popup.
I just use AdBlock. Hasn't failed me yet.
That pref will also take a value of 3. The 2 value allows popups from whitelisted sites. But 3 will block those as well. I added information about this pref to the about:config page.
The descriptions for the entries originally came from the bug itself.
Oh and big Way to Go to unarmed for adding a ton of entries to the about:config page.
I've been using this pref for a few weeks and I haven't seen any popups. This is the only way I know of or seen that causes popups. I've seen at least 3 threads about popups in Mozillazine where this was the culprit. An alternate way to stop these popups that I used before hearing about this pref was to block certain cookies set by the offending site.
I use Adblock too, but I do get pop unders. Wanna experience? Visit www.expressindia.com. Try clicking on any news item. You will see the annoying pop under from www.smashhits.com
Rebuttal to post #1 by Jesse:
Using 0 (zero) extensions on a 1.0.1 installation with the string "privacy.popups.disable_from_plugins=2", as mentioned by Asa, clicking on the yahoo netrospective site I recieved the same result as I did prior to the restart + about:config changes. All the flash boxes appeared correctly, exactly as they did prior to the changes.
Jesse: Are you using any extension which may be blocking said boxes?
Is anyone else able to verify the case above?
I have just tried mentioned testcase on birthday.yahoo.com.
No problems for me.
I've found the "Flash Click to View" extension to be a very effective (if not the most elegant) solution for the problem.
@ Hem Ramachandran
Wow, www.expressindia.com news links did indeed give me a pop-up. However, thanks to a combination of browser settings and an advertiser-hostile hosts file, it only popped up a blank page in a new tab!
Here is my test site for any tweaks: http://www.dailyindependent.com/
Sad to say, nothing has been successful but I have yet to try drastic measures or to determine what method they are using. The latter will be my next step. No sense in penalizing myself with a loss of functionality.
Going by Bug 258487 https://bugzilla.mozilla.org/show_bug.cgi?id=258487#c4 I have had this enabled and set to 3 since some time in December.
I don't use adblock, flashblock, or flash click to view (although I do use LOTS of other extensions). I don't use HOSTS blocking as I find it too much maintainence, and preconfigured lists tend to interfere with browsing- too many "connection refused" messages.
I haven't had a popup or pop-under in ages. I have tried the links here: http://www.dailyindependent.com/, www.expressindia.com, (not even a blank page) and many more in the mozillazine forums- no popups. Sometimes I get the blocked popup notification, sometimes not.
I tried this site: http://birthday.yahoo.com/netrospective/, I had to add it to the allowed list after first clicking a picture, the red links worked fine.
I have not noticed any problems with sites as far as needed functions- but to be fair, I dont use a lot of Flash sites. A few flashgame sites, the flash news module on the SBCyahoo homepage, and those I go to when linked from the support forums.
My other plugins seem unaffected.
In terms of getting those annoying "connection refused" alert boxes, I highly reccommend setting browser.xul.error_pages.enabled to true.
But then again, there are some bugs with it still.
This might not be the place for this post, but I just felt that I wanted to share... http://surl.se/fzi - it's firefox related and scary...
The Microsoft AntiSpyware warning about Firefox is a gag that's been doing the rounds of the net for a week or so.
Even without this pref, I have never seen a popup or popunder in Firefox for months.
I use adblock with these filters:
Johan: That looks like a spoof. I have never had MS Antispyware flag any copy of Firefox as suspicious.
It's amazing how long a silly hoax like that hangs around the internet, constantly fooling more people. I mean, Slashdot made out it was a hoax the very first time they posted it.
Justin: I'm not talking about the Flash boxes, which work fine, but the red links inside the Flash boxes.
I tested Netrospective with IE and it had the same problem. I could be wrong about IE having a better solution. Are there any Flash sites that break with privacy.popups.disable_from_plugins=2 in Firefox but work correctly in IE+SP2?
@Jesse Ruderman: I'm pretty sure there is no way to distinguish requested and unrequested popups when dealing with Flash. That's why we could only implement a general block like this. Still, there is the whitelist...
@GUEST :): Any value for privacy.popups.disable_from_plugins that is bigger than 2 is treated just like 2. Johnny Stenback corrected me with respect to this in comment 8.
No popups whatsoever.
AdBlock (with a very large filter I made)
Sorry, the comment about value 3 for privacy.popups.disable_from_plugins should go to Brian P.
I've been using FlashBlock and so haven't seen these pop-unders, but I still haven't figured out how the Wall Street Journal's front page http://online.wsj.com/ manages to sneak a pop-up window through (unless you're a registered subscriber and already logged in; the pop-up touts the subscription plans).
Thanks for the correction Wladimir. I read comment 8 a few times now that you pointed it out and I still wouldn't have known that.
Ok, here's a real example. On http://www.savetoby.com/, the "donate" and "store" links do not work in Firefox when privacy.popups.disable_from_plugins=2, but do work in Internet Explorer with SP2.
www.warp2search.net uses two different popups - the old style ones that the ff popupblocker can stop, and the new type of flash popup.
With privacy.popups.disable_from_plugins set to 2 I have this problem; when I go to www.warp2search.net the first normal popup is blocked (and the popup-blocked icon in firefox's status bar is shown) but when the 2nd new flash popup is blocked, the popup-blocked icon disappears, which I'm guessing it shouldn't).
Never experienced a popup with Adblock and Filterset G
Glad to say I tried every link posted on here as an example of a page that manages to sneak pop-ups through, and none of them worked. I'm using Firefox 1.0.1 but haven't touched privacy.popups.disable_from_plugins. I'm not using Flashblock either, although I am using Adblock. Still, Adblock was not responsible for blocking anything on the pages as far as I could tell (the Adblock button didn't turn red) so I think it's just Firefox being generally good at popup blocking.
Hmm... actually, one more thing it could have been - I have quite a few 127.0.0.1 entries in my hosts file to block some of the most intrusive ad domains, so perhaps that had something to do with it.
127.0.0.1 hosts file entries aren't a bad idea anyway though, for a few of the real nasties like Gator (or whatever they're called this week) and some of the other tracking cookie scumware. Even on a Win+IE machine, a good hosts file can make a big difference to limit the amount of crap you'll pick up while surfing.
Still, what's definitely true is that Firefox + Adblock + some 127.0.0.1 entries in your hosts file and you can be blissfully ad-free, and there doesn't seem to be anything that can get around it other than those Floater ads... which is why there's the "Nuke Anything" extension.
Yum... you can't touch me, advertisers!
Just FYI, my settings on rv:1.8b suite:
1: Open in current window (default)
2: Open in new window
3: Open in new tab
1: Open in current window
2: Open in new window (default)
3: Open in new tab
0: Divert everything (default)
1: Divert target="_blank" etc. but not window.open
2: Divert everything expect window.open with three parameters
0: open allowed
1: limits their number to dom.popup_maximum (even with popup blocker disabled)
2: the window is a popup, block it
3: blocks them even on whitelisted sites
True (default): Block popup windows created while the page is loading
False: Allow popup windows
browser.block.target_new_window true (deprecated?)
True: Links with target set to _blank will open in the current tab instead of a new window.
False: Links with target set to _blank will open in a new window.
Tried privacy.popus.disable_from_plugins = 2 on Firefox 1.0.1 under Linux. The pref was ineffective.
First, clear your cookies.
Then, go to http://jigzone.com/
Click on the puzzle-of-the-day.
Flash popup ensues.
A surefire way to block it: ditch the Flash plugin.
I just tried privacy.popups.disable_from_plugins : 2 and, while it seemed to effectively block the pop ups, it also seemed to disable my mouse scroll wheel. Deleted the pref now and got my wheel functionality back.
It should be possible to detect whether Flash popups are requested or unrequested. It's not *nice*, but it's possible. The only requirement for a basic solution is to check whether the user clicked mouse immediately (say within 50ms) before the popup tried to appear. Yes, this isn't a perfect solution but it ought to work most of the time.
On Windows at least there are a number of ways to detect mouse actions, some of which even work when entirely different programs are current (see MouseProc in win32 api docs), so I'm sure it's possible for a Flash plugin within mozilla window. (If the plugin shares a message queue then the task is much easier/less intrusive, but hook procs aren't all that much overhead these days anyhow, although they should be written carefully.)
I would expect similar functionality is available on all platforms.
Has anybody else had a problem using Robo-Form with Firefox? That little program is just too valuable to stop using it because of a new browser. It works fine with IE 6. Also, how does one go about un-installing Firefox? I plan on keeping it but it's good to have the uninstall option, which most software provide as a standard menu option.
Ya know what? ....Macromedia should make the API of creating a popup window be determined by a variable in the settings of the browser.
Example code of Flash PopUp:
What should happen here, is that a call to this function from a Flash object(or its parent) that was not clicked or does not have focus, should not work if the Browser denied such popups/redirects. This should be done my Macromedia in their Flash PlugIn, so there's no way ad-makers can get around this security. Then the FireFox-Developers could look at the request for a new Window and determine to display it or not.
document.write("You are using: " + navigator.appName); document.write("and it's version " + navigator.appVersion);
So, the values of these variables are controlled by the Browser; normally the user cannot change this. So, in the Macromedia plugin, every reference to getURL() will first get the value of "DENYFLASHPOPUP". If it's "1", the function returns immediately without displaying the page. =^)
Just a thought!!!
ERRORLINE:*so there's no way ad-makers can get around this security.
CORRECTION: Hackers out there know that nothing is impossible. ;-)
ERRORLINE:*Then the FireFox-Developers can look at the request for a new Window and determine to display it or not.
CORRECTION: I meant to say Macromedia-Developers.
privacy.popups.policy = 2 handles popups just fine for me already. For sites I want to allow popups I just add them to the "Allowed Sites" list on Firefox's Web Features.