Open Bug 1325776 Opened 4 years ago Updated 2 years ago

Disable popups still allows some popups/popunders

Categories

(Core :: DOM: Core & HTML, defect, P3)

50 Branch
defect

Tracking

()

People

(Reporter: martijn, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161208153507

Steps to reproduce:

I'm on a shady site that opens popunders on random clicks. So I go to right click -> View Page Info -> Permissions -> Open Popup Windows. I then untick Use Default and set it to Disabled.

Please forgive me, as I'm not sure if it's allowed to mention the site here, because it's a (fairly well-known) torrents website that features, shall we say, "grey area" torrents.


Actual results:

The site still manages to open popups/popunders.
Since shady sites open shady popups/popunders, this problem might pose a security risk to the unexpecting user.


Expected results:

When popups are disabled, I would expect Firefox to block ALL popups. Popups enabled should (likely) mean that only intended popups are allowed (those followed by a click or similar).
This needs a testcase / URL, otherwise there is pretty much nothing we can do.
Group: firefox-core-security
You asked for it:

https://rarbg.to/

Remember, it happens randomly/occasionally!
Remember, I warned about it being a shady site!
Why is the security flag removed? I explained why this is a security risk. You may not agree, but other users will.
(In reply to Martijn from comment #3)
> Why is the security flag removed? I explained why this is a security risk.
> You may not agree, but other users will.

Pop-up windows are not security risks in and of themselves, and security bugs can only be seen by a very small set of people, which reduces the chance that they get triaged correctly and fixed.
Let's see if somebody can reduce this to a real testcase.
Keywords: testcase-wanted
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Priority: -- → P3
The following super ironic URL test case was loading some obfuscated code:
http://mozilla.6506.n7.nabble.com/Using-alwaysLowered-from-chrome-extension-does-not-seem-to-work-td219780.html

This essentially loads a window and blurs it:


        var f = 'https://example.com';
        var l = 'width=1,height=1,left=' + (screenX + outerWidth / 2) + ',top=' + (screenY + outerHeight / 2);

        function firefox_trigger() {
            document.removeEventListener('click', firefox_trigger, false);
            var a = window.open(f, 'pu_', l);
            if (a) {
                a.blur();
                try {
                    var b = a.window.open('about:blank');
                    b.close()
                } catch (i) {};
                window.focus()
            }
        }

        var c = document.querySelectorAll('a');
        for (var i = 0; i < c.length; i++) {
          var d = c[i].getAttribute('href');
          if (d && d.indexOf('javascript:') == -1) {
            c[i].addEventListener('click',firefox_trigger,false);
          }
        }

This simple test case reproduces for me.
Re-reading this: the popup blocker doesn't have UI to enable a mode where clicks no longer allow popups to open, either. Mostly because websites regularly use JS to intentionally open popups, and it'd be frustrating for users if those were blocked by default.

You can use an add-on or about:config (dom.popup_allowed_events) to alter what events are allowed to open popups while popups are blocked, and could use that to also block popups on sites like this.

Otherwise, I'm not convinced there's anything to do here. I expect we already have other bugs on file to add some kind of UI for that pref.
:Gijs are you suggesting we should allow popunders?

Chrome for the reproduction allows the popup but doesn't let the website ever hide the popup and make it into a popunder.
Flags: needinfo?(gijskruitbosch+bugs)
(In reply to Jonathan Kingston [:jkt] from comment #9)
> :Gijs are you suggesting we should allow popunders?

No, if we can usefully disallow blur() or other techniques here without breaking web compat then we should consider doing so. It's not clear to me in what circumstances chrome no-ops those calls though. Do you know? We should probably align with them to avoid webcompat woes.
Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(jkt)
I don't know no, but I think that Chrome is just denying the window.focus as the page has chosen to blur in the click handler.

- Opening two windows should really trigger the popup blocker
- Focusing after a blur probably could be ignored too perhaps

We might have to dig into Chrome code to discover exactly what the difference is though.

Chrome still permits the navigation from the <a and creates the popup for example.com however it looks like this popup looks focused like the blur was denied.
Flags: needinfo?(jkt)
What do you guys think of marking this as `New` instead of uncomfirmed?
Flags: needinfo?(jkt)
I’ve recorded a video of a popunder window on The Pirate Bay in Firefox Nightly:

https://www.youtube.com/watch?v=4px4ELsViCk (warning: the video shows adult ads)

In this particular instance, the popunder window most likely includes a cryptominer, since my laptop fan runs at full speed whenever the window is opened. Because of this, the issue isn’t just the annoying window itself, but how it makes Firefox look like a browser that performs very poorly. Most users don’t understand the intricacies of cryptominers and similar shady techniques. Hence, I recommend that you provide a strict option for disabling all such popunder windows.
This is pretty irritating when it happens however I'm not 100% sure on the exact fix needed here.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jkt)

The best fix would be to open only one popup for one event (which is Chromium behavior)

Flags: needinfo?(groowycz)

FWIW, I kill the dom.popup_allowed_events value (set it to an empty string) to deal with annoying popups. This method works surprisingly well. And only very few sites have compatibility issues with this. The one I can think of is drive.google.com, which seemingly relies on window.open to launch documents in new tabs.

So the idea would be to just turn an empty dom.popup_allowed_events into an option in Settings (with a warning that it may break sites).

You need to log in before you can comment on or make changes to this bug.