kveton on distribution || MAIN || upgrading from firefox 1.0 to firefox 1.0.1

March 04, 2005

blocking those flash pop-unders with firefox

There's been quite a lot of buzz around the blogs the last couple of weeks with people seeing the return of the pop-ups and pop-unders. It looks to me like the overwhelming majority of these are from plug-ins, mostly flash.

A number of pundits and bloggers have been wondering aloud whether or not we'll be able to keep up with the pop-up spammers now that more of them are focused on us. Well, we shipped 1.0 with the capability to block these pop-ups and pop-unders but we didn't enable it because we were concerned about breaking legitimate uses. If you'd like to turn it on, it's a fairly simple change -- and would be absolutely trivial for us to enable once we determine whether or not lots of websites are depending on the feature.

To block pop-ups from plugins, open your Firefox 1.0 or 1.0.1 browser, type about:config in the address field. Right-click in the resulting config page somewhere and select New -> Interger. Type privacy.popups.disable_from_plugins in the resulting dialog, hit OK, type 2 in the next dialog and you're all set.

This pref can actually take three values:

If you turn this on, please let me know how it works for you so we can make the decision about offering it to users who aren't likely to be hacking in about:config. Posted by asa at March 4, 2005 03:38 PM

Comments

I've been using privacy.popups.disable_from_plugins=2 for a week or two. I've already encountered two sites that failed because of it. One was http://birthday.yahoo.com/netrospective/. In the Flash version of Netrospective, click a picture and then try to click a red link in its description. You'll get a "pop-up blocked" icon instead of a window with the link.

Internet Explorer seems to have a better solution -- one that blocks unrequested Flash popups but allows requested Flash popups. Firefox needs a better solution too.

Posted by: Jesse Ruderman on March 4, 2005 04:02 PM

I was wondering why I wasn't seeing these pop-ups everyone was grousing about, and now I know. I've been using FlashBlock.

Posted by: Axord on March 4, 2005 04:37 PM

I just installed the flashblocker extension (I was really glad to see that it works with Mozilla as well as Firefox), because I got sick of all the noise that flash ads were making.

So if these new pop-up and pop-under ads are initiated from flash, I'm safe unless I deliberately start a particular flash that implements them.

As far as the previous comment goes, I wonder how IE is able to distinguish between a requested plugin popup and an unrequested one. I assume that the plugin uses the same API in both cases to create the popup.

Posted by: Mike Lippert on March 4, 2005 04:37 PM

I just use AdBlock. Hasn't failed me yet.

Posted by: Scott on March 4, 2005 05:33 PM

That pref will also take a value of 3. The 2 value allows popups from whitelisted sites. But 3 will block those as well. I added information about this pref to the about:config page.
http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries

The descriptions for the entries originally came from the bug itself.
https://bugzilla.mozilla.org/show_bug.cgi?id=258487

Oh and big Way to Go to unarmed for adding a ton of entries to the about:config page.

I've been using this pref for a few weeks and I haven't seen any popups. This is the only way I know of or seen that causes popups. I've seen at least 3 threads about popups in Mozillazine where this was the culprit. An alternate way to stop these popups that I used before hearing about this pref was to block certain cookies set by the offending site.

Posted by: Brian P on March 4, 2005 06:08 PM

I use Adblock too, but I do get pop unders. Wanna experience? Visit www.expressindia.com. Try clicking on any news item. You will see the annoying pop under from www.smashhits.com

Posted by: Hem Ramachandran on March 4, 2005 06:08 PM

Rebuttal to post #1 by Jesse:

Using 0 (zero) extensions on a 1.0.1 installation with the string "privacy.popups.disable_from_plugins=2", as mentioned by Asa, clicking on the yahoo netrospective site I recieved the same result as I did prior to the restart + about:config changes. All the flash boxes appeared correctly, exactly as they did prior to the changes.

Jesse: Are you using any extension which may be blocking said boxes?

Is anyone else able to verify the case above?

Posted by: Justin Mason on March 4, 2005 06:18 PM

I recently posted another effective solution that makes use of other preferences, though those changes also add a lot more restrictions to popups than some users may want.
http://lachy.id.au/log/2005/02/stopping-new-popup

Posted by: Lachlan Hunt on March 4, 2005 06:36 PM

I have just tried mentioned testcase on birthday.yahoo.com.

No problems for me.

Posted by: Ivan Icin on March 4, 2005 06:37 PM

I've found the "Flash Click to View" extension to be a very effective (if not the most elegant) solution for the problem.

Posted by: LinkTiger on March 4, 2005 07:56 PM

@ Hem Ramachandran

Wow, www.expressindia.com news links did indeed give me a pop-up. However, thanks to a combination of browser settings and an advertiser-hostile hosts file, it only popped up a blank page in a new tab!

Posted by: Axord on March 4, 2005 08:42 PM

Here is my test site for any tweaks: http://www.dailyindependent.com/
Sad to say, nothing has been successful but I have yet to try drastic measures or to determine what method they are using. The latter will be my next step. No sense in penalizing myself with a loss of functionality.

-Cf

Posted by: Rascal on March 4, 2005 09:55 PM

Going by Bug 258487 https://bugzilla.mozilla.org/show_bug.cgi?id=258487#c4 I have had this enabled and set to 3 since some time in December.

I don't use adblock, flashblock, or flash click to view (although I do use LOTS of other extensions). I don't use HOSTS blocking as I find it too much maintainence, and preconfigured lists tend to interfere with browsing- too many "connection refused" messages.

I haven't had a popup or pop-under in ages. I have tried the links here: http://www.dailyindependent.com/, www.expressindia.com, (not even a blank page) and many more in the mozillazine forums- no popups. Sometimes I get the blocked popup notification, sometimes not.

I tried this site: http://birthday.yahoo.com/netrospective/, I had to add it to the allowed list after first clicking a picture, the red links worked fine.

I have not noticed any problems with sites as far as needed functions- but to be fair, I dont use a lot of Flash sites. A few flashgame sites, the flash news module on the SBCyahoo homepage, and those I go to when linked from the support forums.

My other plugins seem unaffected.

Posted by: GUEST :) on March 4, 2005 10:39 PM

In terms of getting those annoying "connection refused" alert boxes, I highly reccommend setting browser.xul.error_pages.enabled to true.

But then again, there are some bugs with it still.

Posted by: Axord on March 4, 2005 11:21 PM

This might not be the place for this post, but I just felt that I wanted to share... http://surl.se/fzi - it's firefox related and scary...

Posted by: Johan on March 5, 2005 12:54 AM

The Microsoft AntiSpyware warning about Firefox is a gag that's been doing the rounds of the net for a week or so.

Posted by: aldiboronti on March 5, 2005 01:03 AM

Even without this pref, I have never seen a popup or popunder in Firefox for months.

I use adblock with these filters:

[Adblock]
*/ad/*
*/ads/*
*/banner/*
*adtech*
*annonce*
*banners*
*doubleclick*
uk.adserver.yahoo.com
adimg.virgilio.it
*/adv/*
us.a1.yimg.com
spe.atdmt.com
cserver.mii.instacontent.net
casalemedia.com
*/adimage.php.gif
view.atdmt.com
adserver.com
*250x250.swf*
tribalfusion.com
budsinc.com
hitslink.com
*/advertising/*
popupad.net
bravenetmedianetwork.com
ads.mixtraffic.com
*phpAdsNew/adjs.php*
2004cms.com
advlab.it
fastclick.net
dist.belnk.com
*javainstaller.InstallerApplet*
ysbweb.com

Posted by: Lino Mastrodomenico on March 5, 2005 01:09 AM

Johan: That looks like a spoof. I have never had MS Antispyware flag any copy of Firefox as suspicious.

Posted by: Neil T. on March 5, 2005 01:23 AM

It's amazing how long a silly hoax like that hangs around the internet, constantly fooling more people. I mean, Slashdot made out it was a hoax the very first time they posted it.

Posted by: David Naylor on March 5, 2005 01:41 AM

Justin: I'm not talking about the Flash boxes, which work fine, but the red links inside the Flash boxes.

I tested Netrospective with IE and it had the same problem. I could be wrong about IE having a better solution. Are there any Flash sites that break with privacy.popups.disable_from_plugins=2 in Firefox but work correctly in IE+SP2?

Posted by: Jesse Ruderman on March 5, 2005 03:54 AM

@Jesse Ruderman: I'm pretty sure there is no way to distinguish requested and unrequested popups when dealing with Flash. That's why we could only implement a general block like this. Still, there is the whitelist...

@GUEST :): Any value for privacy.popups.disable_from_plugins that is bigger than 2 is treated just like 2. Johnny Stenback corrected me with respect to this in comment 8.

Posted by: Wladimir Palant on March 5, 2005 10:35 AM

Tried www.expressindia.com
No popups whatsoever.

Using:
------
AdBlock (with a very large filter I made)
Disabled all JavaScript stuff except change images

Posted by: Daniel Fischbach on March 5, 2005 11:32 AM

Sorry, the comment about value 3 for privacy.popups.disable_from_plugins should go to Brian P.

Posted by: Wladimir Palant on March 5, 2005 11:40 AM

I've been using FlashBlock and so haven't seen these pop-unders, but I still haven't figured out how the Wall Street Journal's front page http://online.wsj.com/ manages to sneak a pop-up window through (unless you're a registered subscriber and already logged in; the pop-up touts the subscription plans).

Posted by: CB on March 5, 2005 03:40 PM

Thanks for the correction Wladimir. I read comment 8 a few times now that you pointed it out and I still wouldn't have known that.

Posted by: Brian P on March 5, 2005 04:36 PM

Ok, here's a real example. On http://www.savetoby.com/, the "donate" and "store" links do not work in Firefox when privacy.popups.disable_from_plugins=2, but do work in Internet Explorer with SP2.

Posted by: Jesse Ruderman on March 6, 2005 03:45 AM

www.warp2search.net uses two different popups - the old style ones that the ff popupblocker can stop, and the new type of flash popup.

With privacy.popups.disable_from_plugins set to 2 I have this problem; when I go to www.warp2search.net the first normal popup is blocked (and the popup-blocked icon in firefox's status bar is shown) but when the 2nd new flash popup is blocked, the popup-blocked icon disappears, which I'm guessing it shouldn't).

Posted by: chob on March 6, 2005 04:55 AM

Never experienced a popup with Adblock and Filterset G

Posted by: JoŽl Kuiper on March 6, 2005 10:48 AM

Glad to say I tried every link posted on here as an example of a page that manages to sneak pop-ups through, and none of them worked. I'm using Firefox 1.0.1 but haven't touched privacy.popups.disable_from_plugins. I'm not using Flashblock either, although I am using Adblock. Still, Adblock was not responsible for blocking anything on the pages as far as I could tell (the Adblock button didn't turn red) so I think it's just Firefox being generally good at popup blocking.

Hmm... actually, one more thing it could have been - I have quite a few 127.0.0.1 entries in my hosts file to block some of the most intrusive ad domains, so perhaps that had something to do with it.

127.0.0.1 hosts file entries aren't a bad idea anyway though, for a few of the real nasties like Gator (or whatever they're called this week) and some of the other tracking cookie scumware. Even on a Win+IE machine, a good hosts file can make a big difference to limit the amount of crap you'll pick up while surfing.

Still, what's definitely true is that Firefox + Adblock + some 127.0.0.1 entries in your hosts file and you can be blissfully ad-free, and there doesn't seem to be anything that can get around it other than those Floater ads... which is why there's the "Nuke Anything" extension.

Yum... you can't touch me, advertisers!

Posted by: Dave Silvester on March 7, 2005 05:12 AM

Dave,

please try this url http://www.hindijoy.com/source/main/ui/newrelease.asp. Click on anywhere on the page and there shall be annnoying popunder window appearing.

Thanks,
Abhi

Posted by: Abhi on March 7, 2005 02:42 PM

Just FYI, my settings on rv:1.8b suite:

browser.link.open_external 3
1: Open in current window (default)
2: Open in new window
3: Open in new tab

browser.link.open_newwindow 1
1: Open in current window
2: Open in new window (default)
3: Open in new tab

browser.link.open_newwindow.restriction 2
0: Divert everything (default)
1: Divert target="_blank" etc. but not window.open
2: Divert everything expect window.open with three parameters

privacy.popups.disable_from_plugins 2
0: open allowed
1: limits their number to dom.popup_maximum (even with popup blocker disabled)
2: the window is a popup, block it
3: blocks them even on whitelisted sites

dom.disable_open_during_load true
True (default): Block popup windows created while the page is loading
False: Allow popup windows

browser.block.target_new_window true (deprecated?)
True: Links with target set to _blank will open in the current tab instead of a new window.
False: Links with target set to _blank will open in a new window.

Posted by: Tar on March 8, 2005 05:48 AM

Tried privacy.popus.disable_from_plugins = 2 on Firefox 1.0.1 under Linux. The pref was ineffective.

First, clear your cookies.
Then, go to http://jigzone.com/
Click on the puzzle-of-the-day.
Flash popup ensues.

A surefire way to block it: ditch the Flash plugin.

Posted by: Fubegra on March 10, 2005 11:24 AM

I just tried privacy.popups.disable_from_plugins : 2 and, while it seemed to effectively block the pop ups, it also seemed to disable my mouse scroll wheel. Deleted the pref now and got my wheel functionality back.

Posted by: Petersjm on March 11, 2005 12:35 AM

It should be possible to detect whether Flash popups are requested or unrequested. It's not *nice*, but it's possible. The only requirement for a basic solution is to check whether the user clicked mouse immediately (say within 50ms) before the popup tried to appear. Yes, this isn't a perfect solution but it ought to work most of the time.

On Windows at least there are a number of ways to detect mouse actions, some of which even work when entirely different programs are current (see MouseProc in win32 api docs), so I'm sure it's possible for a Flash plugin within mozilla window. (If the plugin shares a message queue then the task is much easier/less intrusive, but hook procs aren't all that much overhead these days anyhow, although they should be written carefully.)

I would expect similar functionality is available on all platforms.

--sam

Posted by: sam on March 11, 2005 02:58 AM

Has anybody else had a problem using Robo-Form with Firefox? That little program is just too valuable to stop using it because of a new browser. It works fine with IE 6. Also, how does one go about un-installing Firefox? I plan on keeping it but it's good to have the uninstall option, which most software provide as a standard menu option.

Posted by: Wes Nathan on March 11, 2005 03:21 AM

Hi Abhi,

I got those pop-ups at www.hindijoy.com/source/main/ui/newrelease.asp
too. I looked at the source and spotted this:

http://www.PayPopup.com/popup.php?id=hindijoy&pop=enter&t=5&subid=22814&blk=1

I went to tools->Adblock->Preferences and added this URL to the list and it blocked those pop-ups. Hope this helps.

Posted by: Tonya on March 12, 2005 05:45 PM

Ya know what? ....Macromedia should make the API of creating a popup window be determined by a variable in the settings of the browser.
Example code of Flash PopUp:

getURL("http://www.mylamepopup.com/ad.html",_blank);

What should happen here, is that a call to this function from a Flash object(or its parent) that was not clicked or does not have focus, should not work if the Browser denied such popups/redirects. This should be done my Macromedia in their Flash PlugIn, so there's no way ad-makers can get around this security. Then the FireFox-Developers could look at the request for a new Window and determine to display it or not.
The way I would imagine this working... is that the FlashPlugIn can query some kind of JavaScript variable, say "DENYFLASHPOPUP", that would be defined by the FireFox-Developers; similar to when JavaScript asks a browser about its Name & Version.

Example Javascript:

document.write("You are using: " + navigator.appName); document.write("and it's version " + navigator.appVersion);

So, the values of these variables are controlled by the Browser; normally the user cannot change this. So, in the Macromedia plugin, every reference to getURL() will first get the value of "DENYFLASHPOPUP". If it's "1", the function returns immediately without displaying the page. =^)
Just a thought!!!

Posted by: Shadow-Me-Twice on March 13, 2005 08:37 PM

Some corrections:
ERRORLINE:*so there's no way ad-makers can get around this security.
CORRECTION: Hackers out there know that nothing is impossible. ;-)

ERRORLINE:*Then the FireFox-Developers can look at the request for a new Window and determine to display it or not.
CORRECTION: I meant to say Macromedia-Developers.

Posted by: Shadow-Me-Twice on March 13, 2005 08:43 PM

http://www.roflcopter.com/ROFLflash.html is another Flash page with a link that works in IE SP2 but not in Firefox with that pref set.

Posted by: Jesse Ruderman on March 14, 2005 12:48 AM

I works great!

Posted by: Dan on March 15, 2005 12:57 PM

privacy.popups.policy = 2 handles popups just fine for me already. For sites I want to allow popups I just add them to the "Allowed Sites" list on Firefox's Web Features.

Posted by: jack on March 16, 2005 02:27 PM

Lachlan Hunt also has a method that doesn't use this pref:

http://lachy.id.au/log/2005/02/stopping-new-popup

Posted by: Tom on March 19, 2005 11:00 PM

Post a comment