Last week, I offered up an extension for testing some improved pop-up blocking capabilities. I got a lot of wonderful feedback and appreciate everyone who got back to me here and in email so quickly.
Today, I've got a slightly less draconian version of that extension which may still let a few evil pop-ups through but hopefully block a lot less of the non-evil pop-ups. Pop-ups triggered from plug-ins will still need to be whitelisted if you need them but most of the other areas where the previous attempt was overly aggressive should work again here.
If you're interested in helping us test this one, you can download it from here. If you have the previous extension installed, please uninstall (or disable) that one before testing this one. Any and all feedback is greatly appreciated and should help us determine if we can offer this as a minor but effective update prior to the 1.1 release.
Thanks again for all the great feedback on the first attempt and I look forward to reading through all of the responses here. Oh, and definitely thanks to Dan Veditz who wrote both of these extensions :-)
Posted by asa at April 6, 2005 01:59 PMWow! XPI signing actually works -- this is the first time I've not gotten the "Unsigned" message when installing one!
It does seem that the "Show " functionality is working correctly again in the popup-blocker info bar.
Posted by: toby on April 6, 2005 02:23 PMthat extension just adds one variable:
privacy.popups.disable_from_plugins = 2
thank the guy who wrote the real code...
Posted by: bla on April 6, 2005 02:25 PMI installed popupsmustdie 1.1 and now I can't open RSS feeds from the sidebar from any of my feeds I have there
error I get is 'Tag is not a registered protocol'
weird huh?
Posted by: John Blanton on April 6, 2005 02:54 PMthe above mentioned error isn't cuz of the popup extension ..it's got to do with the RSS feed itself...but other then that it's all good so far
Posted by: John Blanton on April 6, 2005 03:10 PMwhat all does this extension do? does it only change a preference like "bla" said?
Posted by: ben on April 6, 2005 03:35 PMWhy is it that when I click on the XPI link from feedhouse.mozillazine.org the XPI is not allowed because feedhouse is not whitelisted and once I whitelist it, it is then allowed? Shouldn't the source URL of the file (mozilla.osuosl.org) be the domain in question? The same thing happens here at weblogs.mozillazine.org.
Doesn't that mean that anyone could link from a blog or a comment (within this domain) to a malicious XPI and it would not be blocked (assuming the user had already whitelisted this domain).
Perhaps I'm missing something. Someone feel free to clarify.
Also, is anyone else's install box showing that the XPI is signed? Mine said it was unsigned.
Posted by: Mark on April 6, 2005 08:04 PMWhat is the difference between
privacy.popups.disable_from_plugins = 2
and
privacy.popups.disable_from_plugins = 1 ?
I've used that last one for a few weeks, without a problem, and without pop ups either. But maybe there is something else at work, my ad-blocking userContent.css is pretty aggressive.
Posted by: Philippe on April 6, 2005 08:32 PMThis may be an obvious point, but if the pop-up blocker has known deficiencies ("may still let a few evil pop-ups through"), then advertisers will eventually begin exploiting these deficiencies on a large scale. I realize that there's a need to balance wanted vs. unwanted pop-ups, but if some type of pop-up is on the line then it seems that the only choices are to either block it now or wait for it to become heavily exploited, then block it.
Posted by: Kevin on April 6, 2005 09:41 PMKevin, we need to adapt but so do web developers. If we do everything at once and with draconian measures, we'll break too much of the web. Hopefully good web developers and plugin makers will work with us to build a system that puts the users in control. It's in the best interests of all of us to do that and that's what we're working toward. So rather than just breaking the web, we're going to move a little more cautiously as we get into trickier usage situations to try to provide powerful tools for web developers and give our users the ability to manage the results of those tools. We will win this battle, but it won't happen with one patch :)
- A
Posted by: Asa Dotzler on April 6, 2005 10:20 PM"Popups Must Die"
I surely hope this is not the final name. Please name the extension correctly.
Something like
"Plugin Popup Handler"
Philippe i was going to disagree with you but after picking it apart i think you're right:
"
// Turn off plugin and event initiated popups
pref("privacy.popups.disable_from_plugins",2);
"
I've been using the privacy.popups.disable_from_plugins setting of 2 for a few weeks now, and it's working great. There are lots of Slashdot readers using it, too, so you might want to check recent Firefox articles there and see if they have any comments.
Posted by: Steve Chapel on April 7, 2005 05:18 AMthis seems like a good balance. blocks most popups that were getting through, but doesn't block any wanted popups (at least so far).
Posted by: scratch on April 7, 2005 07:55 AMHow do I uninstall the original version (Mac OS10.3.8, Moz 1.7.6)?
Posted by: Bill Greenwood on April 7, 2005 08:08 AMTry this site:
http://www.blackmesasource.com/
Nothing works :/
Posted by: Nanaki on April 7, 2005 10:04 AMEnter this site : http://www.freenews.fr/nat.html
Then click on some internal link, like this link : http://www.freenews.fr/aqu.php
PMD 1.0 blocks but PMD 1.1 doesn't block anymore :-(
In www.zophar.net occurs something similar to what Tester described.
PMD1.0 blocks but 1.1 not.
Luiz
Posted by: Luiz on April 7, 2005 10:32 AMBill Greenwood: don't worry about uninstalling, you can install over the old one in Mozilla.
Henrik Gemal: of course we won't call it "Popups Must Die!", just having a little fun. We're just pushing this out to get real-world testing of the setting so we can feel comfortable changing the product defaults, and to figure out what code changes might need to happen. For example, the dom event blocking prefs tried in the first version caused problems, but we still want to block evil onclick popups. That will require code changes that can't really be rolled out as an extension.
To all: yes, all this does is set a pref, the same pref Asa blogged about some time back. A fair number of people set the pref, and a fair number of people found messing with about:config was over their heads. We also wanted something that was easily disabled or uninstalled by non-technical people in case they felt the blocking went too far -- especially with the agressive first version.
Posted by: Dan Veditz on April 7, 2005 04:56 PMI know this is probably a symptom of the plugin working exactly as it should... but http://www.starwars.com/ is completely locked out - and you cant access *anything* from the site.
It's one thing to have a solution that prevents you from possibly taking advantage of one or two components to a page -- to but to lock out the functionality of an entire site seems kinda problematic... (and I'll wager StarWars.com isn't the only major website that uses this style of navigation).
Posted by: John on April 7, 2005 06:00 PMhttp://users.pandora.be/merelbeke/sa/nl.html
I get a Java applet popup window here with Popups must die! 1.1.
Posted by: element on April 8, 2005 05:39 AMClassic FM's website (www.classicfm.com) have one of the most annoying popups I've been faced with. And it still appeared after applying the about:config privacy change. Adblock, and Murder's filters as found in the Advanced filters sticky thread at the adblock forums, did the trick by stopping it so I'm not exactly sure what killed it. The popup is indicative of how determined the advertisers are to bypass measures placed to stop them. I'll say one thing, it certainly discouraged me from going to the Financial Times website.
Posted by: Keith on April 8, 2005 01:59 PMhow to know when a flash pop pup is blocked by "pop up must die"
try this site http://www.series-onair.com./
for testing http://www.popupcheck.com/
Posted by: Pimousse on April 11, 2005 01:57 PMIn your update to last week's post you wrote: "No need for further debate here about whether or not it's OK to break requested pop-ups. It's not. We need to do a better job at identifying requested popups."
I think we should not have this as the default setting - it would break all Flash applications that legitimately use popups for things like a help window. Please understand that Flash is used for a lot of useful things!
A better solution would be to leave the default setting as it is, but make it easy for those users that want plugin-popups disabled to check a box in Tools / Options / Web Features. Or we should find a way to determine if the popup was the result of a click in the plugin. Is it impossible for the browser to find out if there has been a recent click in the plugin area?