Closed Bug 126224 Opened 23 years ago Closed 21 years ago

(NY Times) Web sites can create pop-up windows using img onload even if unrequested window is blocked (nytimes, image, popup)

Categories

(SeaMonkey :: UI Design, defect)

Product:
SeaMonkey
Component:
UI Design
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED WORKSFORME
Milestone:
Future

People

(Reporter: mozilla.org, Assigned: shliang)

References

(
URL
)

Details

(Keywords: relnote, testcase)

Attachments

(2 files, 2 obsolete files)

testcase
1.57 KB, text/html
Details
updated patch
4.51 KB, patch
security-bugs
: review+
jst
: superreview+
Details | Diff | Splinter Review
Under Preferences->Advanced->Scripts and Windows, I have the following three unchecked: "Open unrequested windows", "Move or resize existing windows", and "Raise or lower windows". This effectively eliminates pop-up windows (although it would be nice if I could control this feature on a per-site basis, but that's another story). Somehow, NYTIMES.COM has managed to get around this. It dosn't always happen, but when I visit the site, or click on a link to read a story, low-and-behold, a pop-up window appears with an ad!
Browser, not engine. Reassigning to Preferences and cc'ing Mitch, rginda. Compare similar-sounding bug 123647, "Popup window appears even when "open unrequested windows" is unchecked" although that is at a different site -
Assignee: rogerl → sgehani
Component: JavaScript Engine → Preferences
QA Contact: pschwartau → sairuh
I see this on linux too
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
CC'ing Doron.
Keywords: helpwanted
Target Milestone: --- → Future
Did anyone capture the offending script? 123647 was caused by an onLoad in an image tag; we don't check for that. Is this the same thing? BTW, I'll take this bug, unless someone wants to fix it right away.
Assignee: sgehani → mstoltz
QA Contact: sairuh → bsharma
*** Bug 127555 has been marked as a duplicate of this bug. ***
I captured the script at: http://rc3.org/clips/orbitz_popunder_js.txt
Attached patch patch adds dom.disable_open_click_delay pref (obsolete) — — Splinter Review
this patch lets users set dom.disable_open_click_delay to the max acceptable delay between a mouse click and a window open. dom.disable_open_click_delay is a time in milliseconds.
Attached file testcase —
Attached patch patch without printf and commented out code (obsolete) — — Splinter Review
Attachment #71223 - Attachment is obsolete: true
Mitch, would you like to drive this one into the tree again?
Keywords: helpwantedmozilla1.0, patch
jst, got time for a sr?
*** Bug 127573 has been marked as a duplicate of this bug. ***
*** Bug 123647 has been marked as a duplicate of this bug. ***
*** Bug 128974 has been marked as a duplicate of this bug. ***
Comment on attachment 71225 [details] [diff] [review] patch without printf and commented out code - Replace all 4 space indentation with 2 space indentation. - s/PRInt64/PRTime/ on the whole diff sr=jst
Attachment #71225 - Flags: superreview+
Comment on attachment 71225 [details] [diff] [review] patch without printf and commented out code r=mstoltz. Good idea! I'll see about getting this into Moz 1.0.
Attachment #71225 - Flags: review+
Comment on attachment 71225 [details] [diff] [review] patch without printf and commented out code a=asa (on behalf of drivers) for checkin to the 1.0 trunk
Attachment #71225 - Flags: approval+
Actually, it occurs to me now that PR_IntervalNow has no units. We should probably use PR_Now instead, and divide |delta| by 1000 to get to milliseconds. Mitch, do you want to own the patch from here, or should I work up a new version?
Attached patch updated patch — — Splinter Review
spacing fixed, initialization fixed to use LL_ZERO instead of literal 0, PR_IntervalNow changed to PR_Now, PRInt64 changed to PRTime (the rest of the file uses PRInt64, btw.)
Attachment #71225 - Attachment is obsolete: true
jst, if you'll give the latest patch your blessing, I'll check it in when the tree opens.
Comment on attachment 73206 [details] [diff] [review] updated patch sr=jst
Attachment #73206 - Flags: superreview+
Comment on attachment 73206 [details] [diff] [review] updated patch Thanks for taking the initiative here, Rob. You know this stuff better than me. r=mstoltz. I'm assuming it's safe to use a PRTime as the seocnd parameter to LL_L2I on all platforms - is that safe? Is PRTime always a long long?
Attachment #73206 - Flags: review+
PRTime is typedef'ed to PRInt64, so on most platforms that would be a long long, and yes, it should always be safe to use with the LL* macros.
Checked in to trunk.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
On pages with a lot of images (news.bbc has over 40, for example), for a modem user, a solution based on time could be troublesome. It would need delicate fine-tuning, and still could be off. There's no easy way to do the clean solution and disable onload=window.open in any element? Also, the patch doesn't seem to add the new pref automatically when you disable "open unrequested windows" in scripts & windows... should it?
Asa gave me a verbal a= to check in to the 0.9.9 branch, so I just checked in there too. Jeremy: I don't think this will be a problem for slow loading pages. The time we measure is between the mouse click and the window.open request. Even on slow pages that time should be very small. As far as the UI goes, someone else will have to knock one together, please file a seperate bug.
Under "What's New In This Release", we should add something like... <li> It is now possible to disable the JavaScript <tt>window.open()</tt> method when it is not called as a result of a mouse click. When the <tt>dom.disable_open_click_delay</tt> pref is set to a nonzero number, window.open will fail when called more than that number of milliseconds after a mouse click. Setting this pref (instructions <a href="http://www.mozilla.org/releases/mozilla0.9.9/#setprefs">here</a>) should turn off pop-up and pop-under ads that use the <tt>onload</tt> handler of <tt>&lt;img&gt;</tt> tags to work around our <a href="http://bugzilla.mozilla.org/show_bug.cgi?id=92955">previous</a> <tt>window.open()</tt> filter. (<a href="http://bugzilla.mozilla.org/show_bug.cgi?id=126224">Bug 92955</a>)<br> <br> <tt>user_pref("dom.disable_open_click_delay", 1000);</tt>
Keywords: relnote
Why is this implemented as a seperate preference from the "Allow scripts to open unrequested windows" pref already implemented? In my mind, that checkbox should turn this feature on and off as well. From a user perspective, they do exactly the same thing -- stop popups. So, while it may be implemented as such, this bug doesn't introduce new functionality for the user. It corrects a bug with the existing functionality. And I strongly believe that there should not need to be a seperate UI pref for this as suggested in Comment #26. That's going to be very confusing for users.
This is new functionality, it does *not* correct a bug in the previous implementation. The previous implementation which "prevents window.open from working during onload, onunload, and timeouts" still exists and has *no* bugs. The fact that our prefs UI mis-represents, or glosses over the details is of no concern to me. File a new bug to bring the UI in line with this new functionality. I don't own that UI and have no personal interest in doing that work myself. UI discussion does not belong on this bug. I'm sure if y'all stop whining here and just file a new bug for the UI, someone will step up and do the work.
*** Bug 120413 has been marked as a duplicate of this bug. ***
I agree with Robert. If the wording of the Pref is "Allow scripts to open unrequested windows," and having this checked does not prevent some sites from opening an unrequested window - as here - then it's a bug. You can look at this two ways. It's a bug with the UI or it's a bug with the Mozilla code not implicitly linking this current bug into the existing UI. Which is less confusing? I would think it would be less confusing to keep the existing UI and link this bug into it so that there's no need for a separate Pref...
Your average web surfer is dumb to the ways of the web developer. They don't know the difference between a window.open() in a body onload, an image onload, one that's just sitting out there to be executed sans event. To them there is no difference. The behavior of these, however, is the same and its this bahavior that they want to disable. If you support the opposite view then every time a sneaky developer finds a way of opening an unrequested popup then you'd have to add a new option in the UI. Can you imagine: - Disable Unrequested Popups from body.onload - Disable Unrequested Popups from image.onload - Disable Unrequested Popups from iframes - Disable Unrequested Popups from js/DOM inserted script elements - Disable Unrequested Popups from onmouseover - Disable Unrequested Popups from onmouseout I suggest that any developer action that causes the behavior of an "unrequested popup" be grouped under this singular preference. Call this whining if you'd like, but I think this bug needs to be reopened and dealt with.
I've filed bug 132031 to deal with the UI. Maybe one of you wants to submit a patch, or something.
*** Bug 133871 has been marked as a duplicate of this bug. ***
*** Bug 139318 has been marked as a duplicate of this bug. ***
I can't get this workaround to work on RC1 and nytimes.com I've tried setting the value to 1000,250,100,10, and 1. I would assume faster machines would use shorter times.
Bug 126224 fixes just one method of opening unrequested popups. It's easy to implement others. For example, I can open popup from document.body.onmousemove handler. Event triggers when user just moves the mouse in the window. It means in 99.99% - popup will come up. I think it should be reopened with more general summary.
*** Bug 144481 has been marked as a duplicate of this bug. ***
*** Bug 145628 has been marked as a duplicate of this bug. ***
*** Bug 146480 has been marked as a duplicate of this bug. ***
*** Bug 147184 has been marked as a duplicate of this bug. ***
*** Bug 153362 has been marked as a duplicate of this bug. ***
*** Bug 153778 has been marked as a duplicate of this bug. ***
Summary: NY Times web sites creates pop-up windows even if that feature is disabled → NY Times web sites creates pop-up windows even if that feature is disabled (using img onload)
*** Bug 154270 has been marked as a duplicate of this bug. ***
*** Bug 154476 has been marked as a duplicate of this bug. ***
*** Bug 155134 has been marked as a duplicate of this bug. ***
*** Bug 155545 has been marked as a duplicate of this bug. ***
*** Bug 155901 has been marked as a duplicate of this bug. ***
*** Bug 146570 has been marked as a duplicate of this bug. ***
*** Bug 154988 has been marked as a duplicate of this bug. ***
*** Bug 156673 has been marked as a duplicate of this bug. ***
*** Bug 157980 has been marked as a duplicate of this bug. ***
Why was this implemented as a timeout? It seems to me that, no matter *how* much time has passed, if the window-creation action is not occurring as a direct result of a mouse click, then no windows should be created. In other words, windows should be creatable by *inclusion*: when and only when: - I've selected "File / New / Navigator" - I've clicked the middle button on a HREF - I've selected "Open in New Window" from the context menu - we're inside the scope of an onClick handler of an HREF that was loaded as the direct result of a mouse click. Relying on timeouts suggests that you've lost track of how you got where you are, and that's the actual bug that should be fixed. Right?
Alias: nytimes
*** Bug 153798 has been marked as a duplicate of this bug. ***
*** Bug 158462 has been marked as a duplicate of this bug. ***
*** Bug 158536 has been marked as a duplicate of this bug. ***
*** Bug 127757 has been marked as a duplicate of this bug. ***
*** Bug 126905 has been marked as a duplicate of this bug. ***
We keep getting bugs describing the case every day. I don't see how come we have this RESOLVED FIXED. Maybe WONTFIX, but not FIXED! I'll keep an eye on the user input for the next week, and will reopen next Sunday. If anybody objects, please reply.
I don't see any point in waiting another week (with all due respect). I count 27 dups.....with most of them happening after this was "fixed". So, I'm reopening this now as the existing UI pref should take care of this problem.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I think JWZ is right in comment #53 we should not keep developing workarounds for the ways web developers bombard us with pop-ups. Stopping them alltogehter unless called from the interface or from a direct onclick handler (or the call to a function as the target of a href) is the only way to ensure that we don't have to come back to the drawing board every time. If we have a pref that disables unrequested windows, lets go all the way and disable unrequested windows... It should be much easier to create an inclusive list of "requested" windows than create a list of all the possible ways something could be unrequested.
Keywords: mozilla1.0mozilla1.1
At risk of being one of those dorks who writes "me too" posts, I also concur with JWZ's comment 53.
I concur with Mike Young's comments above. I opened one of the "dupe" bug reports regarding this issue and I think Mike Young's comments really "hit the nail on the head". Peace.... Tom
This bug was marked fixed because it seemed like all we needed was the UI for the new timeout-based pref. Looking back on it, I don't think we should hook this up to the UI at all. I don't like the false-positive debugger users will run into when stepping over a window.open call. Bug 132031 should probably be closed WONTFIX. A timeout-based solution was chosen because it was easy to implement. The first patch took me all of about 30 minutes to hack together. It's not my job to stop pop-ups. I just saw what I thought would be an easy work-around, and did it. I encourage any of you to Just Do It. I'll be happy to review your work. The main pref (the one that is actually hooked up to the UI) was introduced in bug 92955. The first patch there actually looked at the xpconnect stack to deny anything that came from "onload" or "onunload". One could use something similar to *allow* only "onclick"s. I'm not sure how you'd find out if you were in a javascript: url, but it's probably possible. If you were to try something like that, you'd probably do it in CheckForAbusePoint, which is here: <http://lxr.mozilla.org/mozilla/source/dom/src/base/nsGlobalWindow.cpp#2816>.
*** Bug 158705 has been marked as a duplicate of this bug. ***
Robert Ginda: re your comment 64, are you saying that a patch to prevent window openings shouldn't be attached to the "Open Unrequested Windows" checkbox?
There are two prefs here. The first was introduced in bug 92955, and is "dom.disable_open_during_load". This pref blocks window.open() calls that are made from script that runs outside of any function, from an onload or onunload event, or from a setTimeout/setInterval. This pref is what is currently hooked up to "Open unrequested windows". I think it's just dandy, and it does the job fine for me. Then the ny times came along and put a window.open in an <IMG> onload handler. Maybe they did it to get around "dom.disable_open_during_load", or maybe it was dumb luck. As a quick hack, I came up with a SECOND pref, "dom.disable_open_click_delay", which blocks window.open calls based on how soon they happen after a mouse click. This pref was never added to the UI, instead bug 132031 was filed with the hopes that someone else would do it. In comment 64, I suggested we SHOULDN'T add this pref to the UI, because "dom.disable_open_click_delay" probably isn't the right idea, and it is prone to false positives. Instead, I say "dom.disable_open_click_delay" should probably be backed out. Looking back at nsGlobalWindow.cpp now, I think we can once again scrap the idea of looking at the xpconnect stack, and instead set a mInClickEvent flag in GlobalWindowImpl::HandleDOMEvent. This flag would only be true for the life of the HandleDOMEvent call, when aEvent->messsage was NS_MOUSE_RIGHT_CLICK (and whatever else makes sense.) We would still need to work out javascript: urls, unless they are dispatched from the NS_MOUSE_RIGHT_CLICK event (which would things very easy.)
rginda, would you want to back out the patch here and create a new bug to "Strengthen Disable Open Unrequested Windows"? marking this bug as dup? I think your proposed idea seems about right, but I think we should be able to determine the source of the call to the function without resorting to flags for onClick. (although I might be wrong...) From what I see, there are only the following _valid_ requested windows (I am open to additions...): 1. Opened from the interface (in new window, middle click, File > New, Accel-N, etc.) -- I believe that these are already immune and don't need to be worried about. 2. Opened via an onClick, onDblClick, onMouseDown, onMouseUp, onKeyPress, onKeyDown, onKeyUp, onSubmit?(debatable). 3. Opened via a javascript: URL of a clicked link. The onSubmit is not necessarily a user-activated event, but is often used as such. (I would say onFocus too, but the idea of someone *requesting* a popup window via tabbing into a field seems far-fetched.) The problem is that a malicious web developer could call a submit() routine on a form with no visible elements and no href and effectively get around the popup blocking.
I agree that a new bug is needed at this point so as to avoid confusion. (Neither this bug nor bug 132031 really cover what we want, which is "Strengthen Disable Open Unrequested Windows" as just suggested.)
> rginda, would you want to back out the patch here and create a new bug to > "Strengthen Disable Open Unrequested Windows"? marking this bug as dup? Maybe. Maybe this bug should stay open so folks can find it, and "Strengthen Disable Open Unrequested Windows" should be marked as blocking this bug. > I think your proposed idea seems about right, but I think we should be able to > determine the source of the call to the function without resorting to flags for > onClick. (although I might be wrong...) I'm not sure how you're going to know that window.open was called from an onclick event without maintaining some sort of state to that effect. Unless you resort to the xpconnect stack checking code. > 1. Opened from the interface (in new window, middle click, File > New, > Accel-N, > etc.) -- I believe that these are already immune and don't need to be worried > about. Correct, windows opened from chrome code are always allowed, that's what the |if (item)| condition in GlobalWindowImpl::CheckForAbusePoint is doing. > 2. Opened via an onClick, onDblClick, onMouseDown, onMouseUp, onKeyPress, > onKeyDown, onKeyUp, onSubmit?(debatable). > 3. Opened via a javascript: URL of a clicked link. what about |document.location = "javascript:void window.open('foo.html');";|? I think this whitelist idea has more nooks and crannies than people suspect. If you open "Strengthen Disable Open Unrequested Windows", don't assign it to me (cc: is ok.) I'll help out where I can, but I don't have the kind of free time I think it will take to get this right.
I have filed bug 159036 to deal with the issue of Strengthening Disable Open unrequested windows. I have added only rginda to the CC list (because i usually hate it when people CC me without permisssion, so if you are on this list you have to add yourself) I have answered rgindas comment about document.location = javascript: there And if that bug is fixed, it will in turn fix this bug... The issue still exists about backing out the patch in this bug.
Depends on: 159036
*** Bug 159385 has been marked as a duplicate of this bug. ***
*** Bug 160527 has been marked as a duplicate of this bug. ***
*** Bug 153825 has been marked as a duplicate of this bug. ***
*** Bug 160652 has been marked as a duplicate of this bug. ***
Filed bug 160670, "back out dom.disable_open_click_delay".
*** Bug 161366 has been marked as a duplicate of this bug. ***
*** Bug 157629 has been marked as a duplicate of this bug. ***
Should we mark this dupe of bug 159036 (strengthen via whitelist)?
I would advocate leaving it open for discoverability (searching on NY times). Just look at the names or the URLs in the Dupes.
Hopefully bug 159036 will be the chosen solution to fix this bug, but it is still a different bug. There is always the possibility that the developers would like to fix this bug by simply blocking IFRAMES. Leave this bug open, but if you have some free time to write code, try your hand at 159036 before you work here... :-)
Another workaround (besides disabling iframes) is to completely turn off window.open for nytimes.com. Something like this... user_pref("capability.policy.popupsites.sites", "www.nytimes.com"); user_pref("capability.policy.popupsites.Window.open", "noAccess");
>>Another workaround (besides disabling iframes) is to completely turn off >>window.open for nytimes.com. Something like this... >>user_pref("capability.policy.popupsites.sites", "www.nytimes.com"); >>user_pref("capability.policy.popupsites.Window.open", "noAccess"); Would the user then have to configure EACH and every address to block? I reported this same problem but on a DIFFERENT website and that bug was marked as a dupe of this one. Peace.....
You can add more sites to the "popupsites" zone by listing them in the .sites pref, like... user_pref("capability.policy.popupsites.sites", "www.nytimes.com www.someothersite.com www.yasite.com");
*** Bug 163037 has been marked as a duplicate of this bug. ***
>>You can add more sites to the "popupsites" zone by listing them in the .sites >>pref, like... >>user_pref("capability.policy.popupsites.sites", "www.nytimes.com >>www.someothersite.com www.yasite.com"); Ok, will there be an interface element to this ".sites" pref file through the browser or is this something the end user will have to modify manually? I think a browser interface element would minimize bug reports as people "discover" (after filing the bug report) that they must edit the ".sites" file. Peace.....
Blocks: majorbugs
Add Yahoo to the mix. I just visited http://news.yahoo.com/ with 2002082109 trunk and up came the plague of the Internet (an X2 spycam popup).
Will all due respects to Jerry Baker's comment 87, the X cam is not the *plague* of the internet, but the plaque of the internet, i.e., what you get for not brushing and flossing your web browser's source code. Vote for bug 126224 today!
sorry if I am wrong, I can't find any code in nsGlobalWindow.cpp CheckForAbusePoint() that blocks onunload pop-ups.
Summary: NY Times web sites creates pop-up windows even if that feature is disabled (using img onload) → (NY Times) Web sites can create pop-up windows using img onload even if unrequested window is blocked
sorry if I am wrong, I can't find any code in nsGlobalWindow.cpp CheckForAbusePoint() that blocks onunload pop-ups.
*** Bug 161975 has been marked as a duplicate of this bug. ***
Daniel, you are wrong. Look at the code that sets mIsDocumentLoaded.
Robert, yes, thank you. seamonkey/source/dom/src/base/nsGlobalWindow.h line 294 PRPackedBool mIsDocumentLoaded; // true between onload and onunload events
Blocks: popups
The workaround described in comment 82 with setting capability.policy.popupsites does not work for me (build Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529). I added the two lines to prefs.js, but the NYTimes popup still appears. Has this been added in a later build than what I have installed?
In response to comment 94: since 0.9.9 you also need to add this line: user_pref("capability.policy.policynames", "popupsites"); see: http://www.mozilla.org/projects/security/components/ConfigPolicy.html An easier fix against all popups like these is of course setting this preference: user_pref("dom.disable_open_click_delay", 1000); *winces as he spams another load of people*
*** Bug 178082 has been marked as a duplicate of this bug. ***
*** Bug 178644 has been marked as a duplicate of this bug. ***
Summary: (NY Times) Web sites can create pop-up windows using img onload even if unrequested window is blocked → (NY Times) Web sites can create pop-up windows using img onload even if unrequested window is blocked (nytimes, image, popup)
*** Bug 179088 has been marked as a duplicate of this bug. ***
*** Bug 181109 has been marked as a duplicate of this bug. ***
Don't know if this helps, but at least in w/ 1.2.1 the uninvited pop-ups happen only going BACKWARD in the browser, from an article back to, say, the home page, at least for me. OTOH, the slick Tabs function (thankyouthankyouthankyou) has sort of relegated the Back button to, er, the dustbin of history. Quiz: who said that?? BTW, I'm not a programmer, just a simple WAN analyst....one who really appreciates Mozilla, I introduce all my (L)users to it.... NYTimes opening pop-ups is simply annoying, an in-your-face by heartless adverti$ing wonks....and the ads! So cheesy... Cheers!
I swear this didn't happen in 1.3a, but it is certainly present in 1.3b. Any luck with a fix? What's up with the new "popup windows" preferences anyhow?
*** Bug 195653 has been marked as a duplicate of this bug. ***
*** Bug 195466 has been marked as a duplicate of this bug. ***
*** Bug 186850 has been marked as a duplicate of this bug. ***
Keywords: mozilla1.1
*** Bug 200107 has been marked as a duplicate of this bug. ***
FYI, I am using 1.3 stable Mozilla, and every now and again NYT squeaks one by the pop-up filter. Since I do tabbed browsing, and almost never hit the 'back' button, this happens only when accessing www.nytimes.com front page. From there I think I have had like 1 pop-up *ever* accessing a page further in, and I read nytimes several times daily. I wonder-do they have some guy out there that does nothing but try and defeat Mozilla's pop-up filter? Weird. Eric
Mozilla's popup blocking also fails to block a popup on Consumer Reports' webpage (http://www.consumerreports.org/main/home.jsp). This popup window appears to be initiated by mouse-over events on the navigation bar at the top of the page. These appear to be the relevant sections of code: <script language="JavaScript"> <!-- function showWindow(e) { var x=y=0; if (e != '') { x = e.screenX; y = e.screenY; } myWindow=window.open('http://cdn.consumerreports.org/static/popup/didyouknow.html','windowName', 'width=200,height=300,screenX=' + x + ',screenY=' + y + ',left=' + x + ',top=' + y); } //--> </script> <tr><td><div align="center" class="blackbold_16-px"><a href="#" onClick="if (window.event || document.layers) showWindow(window.event); else showWindow('');" onMouseOver="if (window.event || document.layers) showWindow(window.event); else showWindow('');"><img SRC="http://cdn.consumerreports.org/static/popup/didyouknow.gif" alt="Did you know?" width="109" height="39" border="0"></a></div></td></tr>
*** Bug 202494 has been marked as a duplicate of this bug. ***
*** Bug 202745 has been marked as a duplicate of this bug. ***
*** Bug 204768 has been marked as a duplicate of this bug. ***
Another site can evade Firebird's popup blocker. From http://www.geocities.com/rosannaarquette2/ select http://www.geocities.com/rosannaarquette2/pictures.html. You will be presented with a series of popup windows from http://www.popupad.net. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6, popup blocking and javascript both enabled. When javascript is disabled, the popup windows are not launched.
It happens in mozilla as well. It's a form submission, so it almost doesn't fit in this bug. Here's the code that does it: <script language=JavaScript> <!--// function loadpopup() { document.flauncher.submit(); focus(); setTimeout('focus()',2000); } // --> </script> </head> <body BGCOLOR="#E4ECF6" onLoad='loadpopup()'> <form name='flauncher' action='http://www.popupad.net/ats/switch.php' target='adv' method='post' onSubmit='focus();'>
Samuel (and possible Ed Hume): yours are different from this bug report since this one is about opened popups created by img onload event - yours are created using onload form.submit. This is currently discussed in bug #144726 so you may also want to add yourself to the CC-list there.
Comment #112 confuses me a bit (so what's new). Is it the "onLoad" in the "body" tag, or the "action" in the "form" tag that is causing this particular popup? In any case, the original report in Bug #144726 has the same source as Comment #112. In other words, don't post an answer to my question to this bug, just send private eMail or post to Bug #144726.
Moving Popup Blocking bugs to XPApps, assigning to shliang
Assignee: mstoltz → shliang
Status: REOPENED → NEW
Component: Preferences → XP Apps
*** Bug 209386 has been marked as a duplicate of this bug. ***
I have yet to get an unrequested popup from NYTimes and I visit it daily Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030911 Firebird/0.6.1+
The NYTimes may have stopped annoying its customers but the technique described in this bug still needs to be addressed.
I agree with the comments that when user says "block unrequested popups" that's what they mean, no matter how they're created. I just ran across an annoying popup ad (though interesting in that it's borderless) on the Channel 4 (british tv) website: http://www.channel4.com/entertainment/tv/microsites/G/graham/weblogs/index.html This appears to be the offending section, but I've never heard of an iframe tag before: <script language="JavaScript"><!-- if (!document.c4Category) document.c4Category = ""; if (!document.c4Module) document.c4Module = ""; banStr = "category="+document.c4Category+"&module="+document.c4Module+"&content="+document.c4Content+"&size=468_60&"; var now = new Date(); RND = now.getSeconds(); document.write ('<iframe width="468" height="60" marginwidth="0" marginheight="0" hspace="0" vspace="0" frameborder="0" scrolling="no" bordercolor="000000" src="http://ads.channel4.com/html.ng/site=C4&'+ banStr +'Rnd='+ RND + '">'); document.write ('<scr'+'ipt language="JavaScr'+'ipt" src="http://ads.channel4.com/js.ng/params.richmedia=yes&site=C4&'+banStr+'Rnd='+ RND + '"></scr'+'ipt>'); document.write ('</iframe>');//--></script>
iframe was, I think, created by Microsoft but is now supported by most browsers. What I've never heard of is scrolling=no, which is what would appear to make it "popup-like" in that it's positioned during redering, and then never moved as a result of scrolling. Personal opinion here: "scrolling=no" should not be obeyed if popups are disabled. There's just no good reason for it....
The testcase WFM (I don't get any pop-ups) in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7a) Gecko/20040131 Firebird/0.8.0+ (aebrahim) (That build is before danm's checkin for bug 197919.)
All testcases WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7a) Gecko/20040209. Michaell confirmed WFM on IRC.
Status: NEW → RESOLVED
Closed: 23 years ago21 years ago
Resolution: --- → WORKSFORME
Blocks: pop-up-arms-race
No longer blocks: popups
Product: Core → Mozilla Application Suite
No longer blocks: majorbugs
Status: RESOLVED → VERIFIED
Keywords: testcase
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: