Closed
Bug 282931
(fastclick-popup)
Opened 19 years ago
Closed 7 years ago
FASTCLICK.COM popup not blocked by Mozilla
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: mlueck, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041217 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041217 This site on the history page has a FASTCLICK.COM ad. Mozilla is unable to block the ad. One of our engineers came up with the following details on the situation causing the popup block failure. Here is the code that takes care of this. Since you would not generally want anything at all from fastclick, you could bulk block, or send to the link to the boys at Mozilla. Since this checks for a cookie, it will not come up a second time. The part that causes it to be gotten away with is the separation of the url, and parts of what is written. nice group of folks over there at fastclick. <!-- FASTCLICK.COM POP-UNDER CODE v1.8 for boardhost.com (12 hour) --> <script language="javascript"><!-- var dc=document; var date_ob=new Date(); dc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds(); if(dc.cookie.indexOf('e=llo') <= 0 && dc.cookie.indexOf('2=o') > 0){ dc.write('<scr'+'ipt language="javascript" src="http://media.fastclick.net'); dc.write('/w/pop.cgi?sid=2369&m=2&tp=2&v=1.8&c='+bust+'"></scr'+'ipt>'); date_ob.setTime(date_ob.getTime()+43200000); dc.cookie='he=llo; path=/; expires='+ date_ob.toGMTString();} // --> </script> <!-- FASTCLICK.COM POP-UNDER CODE v1.8 for boardhost.com --> Reproducible: Always Steps to Reproduce: 1.Go to the URL provided 2.In the top frame click on "Historical Questions and Answers" 3.A popup opens per the code provided
Comment 1•19 years ago
|
||
I don't get a popup using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050208
Comment 2•19 years ago
|
||
For support issues please see the comments in threads such as http://forums.mozillazine.org/viewtopic.php?p=1240477 (At least four threads have been started on mozillazine). On pages with this exploit, the occurence of the pop up is intermittent depending on time and cookies (as can be seen in the code), so reports of WFM are of little value.
Reporter | ||
Comment 3•19 years ago
|
||
>so reports of WFM are of little value
I am not sure what WFM is, but I assume you mean my opening the bug is of little
value. Our point is that popup vendors are getting smarter and trickier, thus
the Mozilla popup blocker needs to somehow follow. The popup blocker technology
is reactive, not proactive, and thus must react to new tactics used by popup
vendors.
Comment 4•19 years ago
|
||
(In reply to comment #3) > >so reports of WFM are of little value > > I am not sure what WFM is, but I assume you mean my opening the bug is of > little value. Not really (and I agree with the part of your comment that I snipped). WFM = Works for me, and applies to statements such as "I don't get the pop up". Your bug though admirably concise - brief and complete - probably belongs with Bug 253831 "sites with pop-ups that get past our pop-up blocker"
WFM with trunk builds and FF10. And it is not the trick with flash (see http://www.heise.de/newsticker/meldung/56646), that would be bug 176079.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Version: unspecified → 1.7 Branch
I'm making an executive decision to reopen this bug. The infamous fastclick popup script that has infested the web like a swarm of hives this past week or so has spawned so much noise in the user groups, and so many duplicate bug reports, that we need a magnet for future duplicate bugs. This very nicely written, concise bug report is my favourite. For starters, it's not WFM in my book. If you follow the steps to reproduce (load the website given and click the Historical Questions and Answers link), this site certainly does load the fastclick script and attempt to open one popup window (two if you have Flash). The first popup window is as described in comment 0. This is not a problem for Firefox 1.0 or later (unless you're having problems with extensions or something similar). The second window is as described in comment 5. This is a straightforward Flash popup. No mistake, this fastclick script is not a new exploit. It's just the first widely disseminated exploit that uses Flash to open a popup window. That makes this bug a duplicate of bug 176079. But it's best we leave it open for now because of the prevalence of the offending script. See especially bug 176079 comment 32 for a means to defeat this exploit.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
*** Bug 282382 has been marked as a duplicate of this bug. ***
*** Bug 283061 has been marked as a duplicate of this bug. ***
*** Bug 283176 has been marked as a duplicate of this bug. ***
Comment 10•19 years ago
|
||
(In reply to comment #6) You are right, thanks for reopen. I forgot to deactivate the hidden pref. Sorry for the inconvenience caused. Adding dependency.
Depends on: BlockFlashPopup
Version: 1.7 Branch → Trunk
Comment 11•19 years ago
|
||
(In reply to comment #6) > .... If you follow the steps to reproduce > (load the website given and click the Historical Questions and Answers link), > this site certainly does load the fastclick script and attempt to open > one popup window (two if you have Flash). > > .... See especially bug 176079 comment 32 for a means to defeat this exploit. Confirming. I added a new integer preference 'privacy.popups.disable_from_plugins' set to 2, and I can follow the recipe: Firefox claims to block 2 popups 'members4.boardhost.com/RRHXHistory/' and 'media113.fastclick.net/w/safepop.cgi? ...' I went to http://www.kephyr.com/popupkillertest/ (Mozilla now has 18% of 10 000 votes) and test 13 ' This test tries to open two pop-up windows using Flash. The pop-up killer failed if any of the pop-up windows got through.' seems to be passed by Firefox (though FWIW Firefox only claims to block 1 popup). Only 44% of browsers have claimed to block this test, and when a tried a few days ago, Firefox failed that test. If this is now considered to be the qualified solution, it should be posted on mozillazine (I can't see an active appropriate thread there at present).
Comment 12•19 years ago
|
||
Of course it works. Feel free to mention it on Mozillazine (but please don't feel obligated to confirm it here in Bugzilla). I know of one instance where Flash blocking already has been mentioned in the explicit context of this issue ( http://forums.mozillazine.org/viewtopic.php?p=1251819#1251819 ), and dozens where it has been mentioned on its own merits. Mozillazine is such shifting sands that anything you say is lost within 12 hours; I stopped participating last year and I'm much happier for it.
Comment 13•19 years ago
|
||
Ugh. Breaking one of my own rules here, > but please don't feel obligated to confirm it here in Bugzilla I mean thanks for adding the useful confirmation note in comment 11 but from now on please keep Mozillazine out of this bug.
Comment 14•19 years ago
|
||
*** Bug 283307 has been marked as a duplicate of this bug. ***
Comment 15•19 years ago
|
||
*** Bug 283496 has been marked as a duplicate of this bug. ***
Comment 16•19 years ago
|
||
*** Bug 283784 has been marked as a duplicate of this bug. ***
Comment 17•19 years ago
|
||
*** Bug 283911 has been marked as a duplicate of this bug. ***
Comment 18•19 years ago
|
||
*** Bug 284393 has been marked as a duplicate of this bug. ***
Comment 19•19 years ago
|
||
*** Bug 283550 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: General → Plug-ins
Ever confirmed: true
Product: Mozilla Application Suite → Core
QA Contact: general → plugins
Comment 20•19 years ago
|
||
*** Bug 285610 has been marked as a duplicate of this bug. ***
Comment 21•19 years ago
|
||
*** Bug 286453 has been marked as a duplicate of this bug. ***
Comment 22•19 years ago
|
||
*** Bug 287205 has been marked as a duplicate of this bug. ***
Comment 23•19 years ago
|
||
*** Bug 286615 has been marked as a duplicate of this bug. ***
Comment 24•19 years ago
|
||
*** Bug 288145 has been marked as a duplicate of this bug. ***
Comment 25•19 years ago
|
||
"The first popup window is as described in comment 0. This is not a problem for Firefox 1.0 or later (unless you're having problems with extensions or something similar)." Dan, I have to disagree. Make a webpage with just the script block shown in comment 0, start Firefox up in safe mode so all extensions are turned off, etc., use a fresh profile or clear your cookies. Sometimes it will actually open a popup, even though Firefox will say that it blocked it. No flash, just javascript. We do need to tweak the blocker to handle this.
Comment 26•19 years ago
|
||
(In reply to comment #25) > "The first popup window is as described in comment 0. This is not a problem for > Firefox 1.0 or later (unless you're having problems with extensions or something > similar)." > > Dan, I have to disagree. Make a webpage with just the script block shown in > comment 0, start Firefox up in safe mode so all extensions are turned off, etc., > use a fresh profile or clear your cookies. Sometimes it will actually open a > popup, even though Firefox will say that it blocked it. No flash, just > javascript. We do need to tweak the blocker to handle this. Same here. I'm running 1.0.2 with NO extensions, no special tweaking, and still get pop-ups on some sites.
Reporter | ||
Comment 27•19 years ago
|
||
You will see this bug was logged against the Mozilla Suite 1.7.5 and not Firefox. I have yet to take the time to figure out how to package Firefox in our Electronic Software Distribution system... I am not too pleased with the complexities presented in Firefox for centrally managed implementations.
Comment 28•19 years ago
|
||
*** Bug 285679 has been marked as a duplicate of this bug. ***
Comment 29•19 years ago
|
||
versions of the fastclick.com code also add click or other event handlers. The dom.popup_allowed_events pref talked about in bug 227338 is usually required in addition to the flash blocking.
Comment 30•19 years ago
|
||
*** Bug 288093 has been marked as a duplicate of this bug. ***
Comment 31•19 years ago
|
||
*** Bug 288758 has been marked as a duplicate of this bug. ***
Comment 32•19 years ago
|
||
*** Bug 289597 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Alias: fastclick-popup
Comment 33•19 years ago
|
||
*** Bug 292468 has been marked as a duplicate of this bug. ***
Comment 34•19 years ago
|
||
*** Bug 293469 has been marked as a duplicate of this bug. ***
Comment 35•19 years ago
|
||
*** Bug 294179 has been marked as a duplicate of this bug. ***
Comment 36•19 years ago
|
||
*** Bug 294814 has been marked as a duplicate of this bug. ***
Comment 37•19 years ago
|
||
The popus must die extension and privacy.popups.disable_from_plugins are not preventing new ads from tribal fusion from generating popup ads. Visit http://pittsburghlive.com/x/tribune-review/trib/newssummary/s_336985.html for an example.
Comment 38•19 years ago
|
||
*** Bug 296646 has been marked as a duplicate of this bug. ***
Comment 39•19 years ago
|
||
*** Bug 298095 has been marked as a duplicate of this bug. ***
Comment 40•19 years ago
|
||
(In reply to comment #39) > *** Bug 298095 has been marked as a duplicate of this bug. *** The popup still comes up when I leave drudgereport and return.
Comment 41•19 years ago
|
||
*** Bug 298020 has been marked as a duplicate of this bug. ***
Comment 42•19 years ago
|
||
*** Bug 291182 has been marked as a duplicate of this bug. ***
Comment 43•19 years ago
|
||
*** Bug 296478 has been marked as a duplicate of this bug. ***
Comment 44•19 years ago
|
||
*** Bug 300557 has been marked as a duplicate of this bug. ***
Comment 45•19 years ago
|
||
re: comment #29 dveditz: you said: >dom.popup_allowed_events pref talked about in bug 227338 i don't see anything relevant in bug 227338. did you cut and paste the wrong bug number? in any case, can you elaborate? tia, marc
Comment 46•19 years ago
|
||
(In reply to comment #45) > dveditz: you said: > >dom.popup_allowed_events pref talked about in bug 227338 > > i don't see anything relevant in bug 227338. No idea where that came from. try bug 233377 comment 2, leading to the implementation in bug 197919 Changing those values enough to foil sites like fastclick.com, however, breaks lots and lots of legitimate things (including our own "show blocked popup" UI).
Comment 47•19 years ago
|
||
*** Bug 308747 has been marked as a duplicate of this bug. ***
Comment 48•19 years ago
|
||
*** Bug 318266 has been marked as a duplicate of this bug. ***
Comment 49•19 years ago
|
||
*** Bug 321264 has been marked as a duplicate of this bug. ***
Comment 50•18 years ago
|
||
(In reply to comment #46) > Changing those values enough to foil sites like fastclick.com, however, breaks > lots and lots of legitimate things (including our own "show blocked popup" UI). How about just disallow code loaded from external scripts from the sites fastclick.com and fastclick.net? Wouldn't that block the pop-ups? Would it break any legitimate things?
Comment 51•14 years ago
|
||
The URLs testcase in comment 0 and in comment 37 are no longer available. Is there any reproducible testcase for this bug or we have to mark it as INVALID?
Reporter | ||
Comment 52•14 years ago
|
||
I joined this thread some time ago reporting ad's popping up at this URL: http://members4.boardhost.com/RRHXHistory/ I see that AdBlock Plus still takes offense to an ad URL on this page. However, I see no ad thanks to AdBlock Plus. So not sure if it is a valid example any longer or not.
Comment 53•14 years ago
|
||
(In reply to comment #52) > I joined this thread some time ago reporting ad's popping up at this URL: > > http://members4.boardhost.com/RRHXHistory/ > > I see that AdBlock Plus still takes offense to an ad URL on this page. However, > I see no ad thanks to AdBlock Plus. So not sure if it is a valid example any > longer or not. WFM with Firefox 3.6
Comment 54•14 years ago
|
||
With AdBlock Plus disabled, I saw an ad at the <http://members4.boardhost.com/RRHXHistory/> URI. However, the ad was an inline graphic which was also a link. This was NOT a popup ad and was not provided by FastClick. The ad's domain -- both the displayed graphic and the link from it -- was googleads.g.doubleclick.net.
Comment 55•14 years ago
|
||
I see the popup on eenadu.net website. This doesn't show up on other browsers like chrome. I see it more prominently in FF3.5+ browsers and not before..
Comment 56•14 years ago
|
||
(In reply to comment #55) > I see the popup on eenadu.net website. This doesn't show up on other browsers > like chrome. > I see it more prominently in FF3.5+ browsers and not before.. The Firefox Pou-Up Blocker blocks the pop-up on eenadu.net so it's WFM.
Comment 57•14 years ago
|
||
Strange.. I still the issue.Just want to check, did you happen to click on that page anywhere, other than the ads. If I do that it brings up the ad page as pop-up Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Comment 58•14 years ago
|
||
(In reply to comment #57) > Strange.. I still the issue.Just want to check, did you happen to click on that > page anywhere, other than the ads. If I do that it brings up the ad page as > pop-up > > Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 > Firefox/3.6 Clicking anywhere on the page provide a pop-up from admagnet.ne but I don't think this is something manageble by Firefox pop-up blocker (Adblock Plus do the job instead).
Comment 59•14 years ago
|
||
Yes. The issue here is, this is seen only with firefox and not chrome or IE8.0(blocking level set to HIGH). I guess the point is, we need to beef up the core instead of depending on plugins. Sorry if this is related to current issue.
Comment 60•7 years ago
|
||
I'm going to resolve this bug because it's really old and doesn't have clear actions. We'll be moving Flash click-to-activate soon so it won't be a useful target for popup attackers.
Status: NEW → RESOLVED
Closed: 19 years ago → 7 years ago
Resolution: --- → INCOMPLETE
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•