Getting rid of popup windows for good

Rimas Kudelis rq at akl.lt
Tue Aug 26 19:38:23 UTC 2014


2014.08.26 10:44, Gijs Kruitbosch rašė:
> On 26/08/2014 00:48, Shane Caraveo wrote:
>> On 2014-08-25 3:48 PM, Gavin Sharp wrote:
>>> How do most "pop-behinds" work? I've certainly seen those, and I have
>>> a hard time thinking of valid use cases for that behavior (they have
>>> been 100% annoyance in my experience).
>>> Someone figuring out how to block those would be great - probably
>>> relatively tricky.
>> Never looked into it, apparently the correct term is popunder.  A
>> quick look at popunder scripts, seems they do this within a click event:
>>
>> w = window.open()
>> w.blur()
>> window.focus()
>>
>> I wonder why "open new windows in a tab instead" pref doesn't work on
>> this...hmm, that is only link targets, not window.open.
>
> I think if you use a non-"_blank" target, we don't stick it in a tab.
> But sticking it in a tab here would probably not make the user any
> happier...
>
> Perhaps we could just make window.blur() trigger window.close() if the
> user has never interacted with the window?

Good idea. I think it's better than David's suggestion to close all
pop-ups ignored by the user when they exit the site that opened them,
here's why:
1. I personally tend to just scowl and just close unwanted
pop-ups/pop-unders manually as soon as I see them.
2. While in the background, the pop-up window is a potential bandwidth
waster. It might repeatedly download and "display" banners that nobody
will see. Heck, you can even stretch this to be a security issue: an
unwanted and unexpected background window might be trying to exploit or
DoS my browser while I'm surfing the Web unaware. ;)

> The only vaguely legit example I can think of are "Tell us what you
> think about our website" surveys that then re-focus() when you close
> the website, but I think those usually don't do the hiding themselves
> but just tell the user "continue with your original window as normal"
> in the page loaded in the popup. Even if they did, I think they're
> probably outnumbered by the "bad" sites? Hard to be sure without data,
> but I would suspect so.

Not being able to participate in a "Tell us what you think" survey is
not really the user's concern, but that of a website author. They will
figure out how to overcome this obstacle (e.g. by opening the new window
before the website is being left and not after it's been opened, or
simply not hiding it automatically). I don't see a problem here.

> The other thing that came up was window/document/body-wide click
> handlers. We could probably do something against those as well if
> they're very widespread, but it wouldn't fix the example Shane gave,
> of using the click on the "default" button on the page (and there are
> vaguely legit uses for that example, too, e.g. some travel search
> sites offer you to open their competitors in a new window when
> searching for something ("Compare against...") - you can manipulate
> checkboxes on the page to avoid that happening if you're not interested)

Regarding handlers on body, there is a similar proposal in bug 596359
called "Shrink clickable area size for popup allowance". But you know,
it's always possible that somebody will want to trigger a legitimate
popup from a bigger area. On the other hand, nobody can prevent a
website administrator from adding unwanted onclick handlers on all DOM
elements (or just a few DOM elements that the user is most likely to
click). That's why I think that pop-ups should be strictly opt-in by the
user.


Hm... how about this:
* we make pop-up opening a trinary setting (Always ask (default), Allow,
Deny)
* for allowed websites, we always allow pop-ups, regardless of the event
that opens them
* for denied websites, we always deny pop-ups, regardless of the event
that opens them
* whenever an "Always ask" website tries to open a pop-up, we grey that
page out and pause all script processing in it (like we currently do in
the case of alert() and confirm() calls) and ask the user whether or not
they want to open the pop-up. The user can then choose between Allow or
Deny the pop-up and has an option to save that choice permanently.

The downside: this would be much more intrusive than now (although not
that much more intrusive than e.g. the notification about entering
fullscreen).
The upside: this would make it more obvious where the pop-ups originate
from and put the user in charge. In the longer run, it might also make
real pop-upsmuch less attractive to website administrators, especially
if other browser vendors followed suit. Hopefully, they would find
better means to monetize their websites than cheating on both their
visitors and advertisers.

By the way, maybe Telemetry could give us some insight into how pop-ups
are created and used at the moment?

Also, I'm not sure, but perhaps we should move this discussion to
Yammer, what do you guys think?

Rimas



More information about the firefox-dev mailing list