Getting rid of popup windows for good

Rimas Kudelis rq at akl.lt
Sun Aug 24 17:30:47 UTC 2014


Hi!

11 years ago, Bug 212163 (Pop-ups are not blocked on code run from
onclick) was wontfixed.

Even today Firefox defaults to allowing any websites (even those
blacklisted by the user) to open any pop-up windows in response to any
of these events: change click dblclick mouseup reset submit touchend.
Now, I would like Mozilla to review that decision again, because the
situation has changed a lot in these years:

1. the web has evolved, and legitimate use of real pop-ups seems quite
rare nowadays,
2. on the other hand, websites, which use pop-ups for advertising, have
over the years adjusted to the way browsers limit this functionality,
and are using shady tactics of e.g. globally catching click events
basically anywhere in the page to open their pop-ups or even pop-unders,
3. not based on studies, but I would guess that most users usually
interact with just a few websites at most, which use pop-ups for
legitimate reasons nowadays (e.g. corporate intranet, some government
website, MAYBE webmail and let's say a few others),
4. whitelisting pop-ups on any website is an easy one-time task. We have
a nice UI (infobar and an icon in the address bar) for that,
5. with our current default setting, even blacklisted websites can still
open pop-ups when using the right handler. This is ridiculous and
exactly the contrary to our goal of the user being in control.

This issue has been brought up in at least a few bugs, but not acted
upon. Is there a chance that Mozilla would reconsider?

As a user, I think that ideally, Firefox would:

1. always allow chrome to create pop-ups (this sounds obvious, but
currently, clearing dom.popup_allowed_events will cripple file upload
functionality, see bug 918780),
2. disallow websites to open pop-ups in response to any javascript event
by default (bugs 565104 and, more broadly, 565621),
3. allow websites whitelisted by the user to open pop-ups in response to
any JavaScript events (I think this is what we do already),
4. probably ignore target="_blank" on links (see bug 565621).

Regards,
Rimas



More information about the firefox-dev mailing list