Sites can use the click or mouseup event to launch an advertising window. This is a known issue and bug 212163 covers onclick. Limi talked about revisiting this issue in the papercuts talk. If onclick is removed we should look at the rest of the values of dom.popup_allowed_events so that ad networks not just switch to a different event. Currently dom.popup_allowed_events allows popups for change, click, dblclick, mouseup, reset, and submit.
For <a target=_blank>, see also bug 565621.
There's an old wontfix bug on this topic, bug 212163. But the web has changed since then.
A blacklist would also help a lot, see bug 202394.
About pop-unders: I wonder if there is any way to make them open in a new background tab next to the tab that opened it, and associated with the opening tab in Tab Candy.
I think bug 596359 is a reasonable approach to mitigating a lot of the unwanted popups by heuristically checking where the open call came from.
One suggestion mentioned on IRC was to only allow App Tabs to do this by default.
Created attachment 8476809 [details] The code that opens a popunder on The Pirate Bay Bug 212163 has been wontfixed 11 years ago, but I believe the situation has changed a lot since then: 1. with AJAX and stuff, legitimate use of popups is probably quite rare nowadays. 2. on the other hand, websites, which use popups for advertising, have over the years adjusted to the way browsers block this functionality, and are using shady tactics of e.g. globally catching onclick basically anywhere in the page to open their popups or even popunders (that's what this and many other bugs are about). 3. not based on studies, but I would guess that most users usually interact with just a few websites at most, which use popups for legitimate reasons nowadays (e.g. corporate intranet, some government website, MAYBE webmail and let's say a few others). 4. whitelisting popups on any website is an easy one-time task. We have a nice UI (infobar and an icon in the address bar) for that. 5. with our current default setting, even blacklisted websites can still open pop-ups when using the right handler. This is ridiculous and exactly the contrary of the user being in control. With all these points in mind, I would suggest that the decision in bug 212163 should be revisited. Can I reopen it? BTW, I wonder if it's by design that with an empty dom.popup_allowed_events, even file chooser windows triggered by clicking <input type="file"> are blocked. That doesn't sound logical. Oh, apparently, it's bug 918780.