Closed Bug 282931 (fastclick-popup) Opened 19 years ago Closed 7 years ago

FASTCLICK.COM popup not blocked by Mozilla

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: mlueck, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041217
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041217

This site on the history page has a FASTCLICK.COM ad. Mozilla is unable to block
the ad. One of our engineers came up with the following details on the situation
causing the popup block failure.

Here is the code that takes care of this. Since you would not generally
want anything at all from fastclick, you could bulk block, or send to
the link to the boys at Mozilla. Since this checks for a cookie, it
will not come up a second time. The part that causes it to be gotten
away with is the separation of the url, and parts of what is written.
nice group of folks over there at fastclick. 

<!-- FASTCLICK.COM POP-UNDER CODE v1.8 for boardhost.com (12 hour) -->
<script language="javascript"><!--
var dc=document; var date_ob=new Date();
dc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds();
if(dc.cookie.indexOf('e=llo') <= 0 && dc.cookie.indexOf('2=o') > 0){
dc.write('<scr'+'ipt language="javascript"
src="http://media.fastclick.net');
dc.write('/w/pop.cgi?sid=2369&m=2&tp=2&v=1.8&c='+bust+'"></scr'+'ipt>');
date_ob.setTime(date_ob.getTime()+43200000);
dc.cookie='he=llo; path=/; expires='+ date_ob.toGMTString();} // -->
</script>
<!-- FASTCLICK.COM POP-UNDER CODE v1.8 for boardhost.com -->

Reproducible: Always

Steps to Reproduce:
1.Go to the URL provided
2.In the top frame click on "Historical Questions and Answers"
3.A popup opens per the code provided
I don't get a popup using
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050208
For support issues please see the comments in threads such as
http://forums.mozillazine.org/viewtopic.php?p=1240477 

(At least four threads have been started on mozillazine).

On pages with this exploit, the occurence of the pop up 
is intermittent depending on time and cookies (as can
be seen in the code), so reports of WFM are of little value.
>so reports of WFM are of little value

I am not sure what WFM is, but I assume you mean my opening the bug is of little
value. Our point is that popup vendors are getting smarter and trickier, thus
the Mozilla popup blocker needs to somehow follow. The popup blocker technology
is reactive, not proactive, and thus must react to new tactics used by popup
vendors.
(In reply to comment #3)
> >so reports of WFM are of little value
> 
> I am not sure what WFM is, but I assume you mean my opening the bug is of 
> little value. 

Not really (and I agree with the part of your comment that I snipped).

WFM = Works for me, and applies to statements such as "I don't get
the pop up".

Your bug though admirably concise - brief and complete - probably
belongs with Bug 253831 "sites with pop-ups that get past our pop-up 
blocker"
WFM with trunk builds and FF10. And it is not the trick with flash (see
http://www.heise.de/newsticker/meldung/56646), that would be bug 176079.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Version: unspecified → 1.7 Branch
I'm making an executive decision to reopen this bug. The infamous fastclick
popup script that has infested the web like a swarm of hives this past week or
so has spawned so much noise in the user groups, and so many duplicate bug
reports, that we need a magnet for future duplicate bugs. This very nicely
written, concise bug report is my favourite.

For starters, it's not WFM in my book. If you follow the steps to reproduce
(load the website given and click the Historical Questions and Answers link),
this site certainly does load the fastclick script and attempt to open one popup
window (two if you have Flash).

The first popup window is as described in comment 0. This is not a problem for
Firefox 1.0 or later (unless you're having problems with extensions or something
similar). The second window is as described in comment 5. This is a
straightforward Flash popup.

No mistake, this fastclick script is not a new exploit. It's just the first
widely disseminated exploit that uses Flash to open a popup window. That makes
this bug a duplicate of bug 176079. But it's best we leave it open for now
because of the prevalence of the offending script. See especially bug 176079
comment 32 for a means to defeat this exploit.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
*** Bug 282382 has been marked as a duplicate of this bug. ***
*** Bug 283061 has been marked as a duplicate of this bug. ***
*** Bug 283176 has been marked as a duplicate of this bug. ***
(In reply to comment #6)
You are right, thanks for reopen. I forgot to deactivate the hidden pref. Sorry
for the inconvenience caused. Adding dependency.
Depends on: BlockFlashPopup
Version: 1.7 Branch → Trunk
(In reply to comment #6)
> .... If you follow the steps to reproduce
> (load the website given and click the Historical Questions and Answers link),
> this site certainly does load the fastclick script and attempt to open 
> one popup window (two if you have Flash).
> 
> .... See especially bug 176079 comment 32 for a means to defeat this exploit.

Confirming. I added a new integer preference 
'privacy.popups.disable_from_plugins' set to 2, and I can follow
the recipe: Firefox claims to block 2 popups 
'members4.boardhost.com/RRHXHistory/' and
'media113.fastclick.net/w/safepop.cgi? ...'

I went to http://www.kephyr.com/popupkillertest/ (Mozilla now has
18% of 10 000 votes) and test 13 ' This test tries to open two pop-up windows 
using Flash. The pop-up killer failed if any of the pop-up windows got 
through.' seems to be passed by Firefox (though FWIW Firefox only claims
to block 1 popup). Only 44% of browsers have claimed to block this test,
and when a tried a few days ago, Firefox failed that test.

If this is now considered to be the qualified solution, it should be
posted on mozillazine (I can't see an active appropriate thread there at 
present).

Of course it works. Feel free to mention it on Mozillazine (but please don't
feel obligated to confirm it here in Bugzilla). I know of one instance where
Flash blocking already has been mentioned in the explicit context of this issue
( http://forums.mozillazine.org/viewtopic.php?p=1251819#1251819 ), and dozens
where it has been mentioned on its own merits. Mozillazine is such shifting
sands that anything you say is lost within 12 hours; I stopped participating
last year and I'm much happier for it.
Ugh. Breaking one of my own rules here,
> but please don't feel obligated to confirm it here in Bugzilla
I mean thanks for adding the useful confirmation note in comment 11 but from now
on please keep Mozillazine out of this bug.
*** Bug 283307 has been marked as a duplicate of this bug. ***
*** Bug 283496 has been marked as a duplicate of this bug. ***
*** Bug 283784 has been marked as a duplicate of this bug. ***
*** Bug 283911 has been marked as a duplicate of this bug. ***
*** Bug 284393 has been marked as a duplicate of this bug. ***
*** Bug 283550 has been marked as a duplicate of this bug. ***
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: General → Plug-ins
Ever confirmed: true
Product: Mozilla Application Suite → Core
QA Contact: general → plugins
*** Bug 285610 has been marked as a duplicate of this bug. ***
*** Bug 286453 has been marked as a duplicate of this bug. ***
*** Bug 287205 has been marked as a duplicate of this bug. ***
*** Bug 286615 has been marked as a duplicate of this bug. ***
*** Bug 288145 has been marked as a duplicate of this bug. ***
"The first popup window is as described in comment 0. This is not a problem for
Firefox 1.0 or later (unless you're having problems with extensions or something
similar)."

Dan, I have to disagree.  Make a webpage with just the script block shown in
comment 0, start Firefox up in safe mode so all extensions are turned off, etc.,
use a fresh profile or clear your cookies.  Sometimes it will actually open a
popup, even though Firefox will say that it blocked it.  No flash, just
javascript.  We do need to tweak the blocker to handle this.
(In reply to comment #25)
> "The first popup window is as described in comment 0. This is not a problem for
> Firefox 1.0 or later (unless you're having problems with extensions or something
> similar)."
> 
> Dan, I have to disagree.  Make a webpage with just the script block shown in
> comment 0, start Firefox up in safe mode so all extensions are turned off, etc.,
> use a fresh profile or clear your cookies.  Sometimes it will actually open a
> popup, even though Firefox will say that it blocked it.  No flash, just
> javascript.  We do need to tweak the blocker to handle this.

Same here. I'm running 1.0.2 with NO extensions, no special tweaking, and still
get pop-ups on some sites.
You will see this bug was logged against the Mozilla Suite 1.7.5 and not
Firefox. I have yet to take the time to figure out how to package Firefox in our
Electronic Software Distribution system... I am not too pleased with the
complexities presented in Firefox for centrally managed implementations.
*** Bug 285679 has been marked as a duplicate of this bug. ***
Depends on: 227338
versions of the fastclick.com code also add click or other event handlers. The
dom.popup_allowed_events pref talked about in bug 227338 is usually required in
addition to the flash blocking.
*** Bug 288093 has been marked as a duplicate of this bug. ***
*** Bug 288758 has been marked as a duplicate of this bug. ***
*** Bug 289597 has been marked as a duplicate of this bug. ***
Alias: fastclick-popup
*** Bug 292468 has been marked as a duplicate of this bug. ***
*** Bug 293469 has been marked as a duplicate of this bug. ***
*** Bug 294179 has been marked as a duplicate of this bug. ***
*** Bug 294814 has been marked as a duplicate of this bug. ***
The popus must die extension and privacy.popups.disable_from_plugins are not
preventing new ads from tribal fusion from generating popup ads. Visit
http://pittsburghlive.com/x/tribune-review/trib/newssummary/s_336985.html for an
example.
*** Bug 296646 has been marked as a duplicate of this bug. ***
*** Bug 298095 has been marked as a duplicate of this bug. ***
(In reply to comment #39)
> *** Bug 298095 has been marked as a duplicate of this bug. ***
The popup still comes up when I leave drudgereport and return.
*** Bug 298020 has been marked as a duplicate of this bug. ***
*** Bug 291182 has been marked as a duplicate of this bug. ***
*** Bug 296478 has been marked as a duplicate of this bug. ***
*** Bug 300557 has been marked as a duplicate of this bug. ***
re: comment #29

dveditz: you said:
>dom.popup_allowed_events pref talked about in bug 227338

i don't see anything relevant in bug 227338.  did you cut and paste the wrong
bug number?  in any case, can you elaborate?

tia,
marc
(In reply to comment #45)
> dveditz: you said:
> >dom.popup_allowed_events pref talked about in bug 227338
> 
> i don't see anything relevant in bug 227338.

No idea where that came from. try bug 233377 comment 2, leading to the
implementation in bug 197919

Changing those values enough to foil sites like fastclick.com, however, breaks
lots and lots of legitimate things (including our own "show blocked popup" UI). 

*** Bug 308747 has been marked as a duplicate of this bug. ***
Depends on: 313337
*** Bug 318266 has been marked as a duplicate of this bug. ***
*** Bug 321264 has been marked as a duplicate of this bug. ***
(In reply to comment #46)

> Changing those values enough to foil sites like fastclick.com, however, breaks
> lots and lots of legitimate things (including our own "show blocked popup" UI). 

How about just disallow code loaded from external scripts from the sites fastclick.com and fastclick.net? Wouldn't that block the pop-ups? Would it break any legitimate things?
The URLs testcase in comment 0 and in comment 37 are no longer available.
Is there any reproducible testcase for this bug or we have to mark it as INVALID?
I joined this thread some time ago reporting ad's popping up at this URL:

http://members4.boardhost.com/RRHXHistory/

I see that AdBlock Plus still takes offense to an ad URL on this page. However, I see no ad thanks to AdBlock Plus. So not sure if it is a valid example any longer or not.
(In reply to comment #52)
> I joined this thread some time ago reporting ad's popping up at this URL:
> 
> http://members4.boardhost.com/RRHXHistory/
> 
> I see that AdBlock Plus still takes offense to an ad URL on this page. However,
> I see no ad thanks to AdBlock Plus. So not sure if it is a valid example any
> longer or not.

WFM with Firefox 3.6
With AdBlock Plus disabled, I saw an ad at the <http://members4.boardhost.com/RRHXHistory/> URI.  However, the ad was an inline graphic which was also a link.  This was NOT a popup ad and was not provided by FastClick.  The ad's domain -- both the displayed graphic and the link from it -- was googleads.g.doubleclick.net.
I see the popup on eenadu.net website. This doesn't show up on other browsers like chrome.
I see it more prominently in FF3.5+ browsers and not before..
(In reply to comment #55)
> I see the popup on eenadu.net website. This doesn't show up on other browsers
> like chrome.
> I see it more prominently in FF3.5+ browsers and not before..

The Firefox Pou-Up Blocker blocks the pop-up on eenadu.net so it's WFM.
Strange.. I still the issue.Just want to check, did you happen to click on that page anywhere, other than the ads. If I do that it brings up the ad page as pop-up

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
(In reply to comment #57)
> Strange.. I still the issue.Just want to check, did you happen to click on that
> page anywhere, other than the ads. If I do that it brings up the ad page as
> pop-up
> 
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115
> Firefox/3.6

Clicking anywhere on the page provide a pop-up from admagnet.ne but I don't think this is something manageble by Firefox pop-up blocker (Adblock Plus do the job instead).
Yes. The issue here is, this is seen only with firefox and not chrome or IE8.0(blocking level set to HIGH). I guess the point is, we need to beef up the core instead of depending on plugins.
Sorry if this is related to current issue.
I'm going to resolve this bug because it's really old and doesn't have clear actions. We'll be moving Flash click-to-activate soon so it won't be a useful target for popup attackers.
Status: NEW → RESOLVED
Closed: 19 years ago7 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.