Closed
Bug 92178
Opened 23 years ago
Closed 23 years ago
Need user-selectable filters for the URL passed to window.open(...)
Categories
(Core :: Security: CAPS, enhancement)
Core
Security: CAPS
Tracking
()
VERIFIED
WONTFIX
People
(Reporter: rfg, Assigned: security-bugs)
References
(Depends on 1 open bug)
Details
So is it just me, or are there a couple of billion other people who, like me,
are also sick to death of these extraordinarily irritating pop-up and pop-under
ads, AND the spying on us that Doubleclick is doing, day in and day out?
OK, let's just deal with the issue of the pop-up/pop-under ads for the moment.
Why doesn't Mozilla... as part of preferences... allow me/everyone to configure
a personal domain-based filtering list that would apply to the URL given in the
first argument to any window.open() call?
If I had that, then you can bet your booty that I'd filter out all ads from
x10.com, toot sweet... and so would everyone else on the planet! (Those people
have gotten in my face once too often and now I'm hopping mad!)
So why don't we have this capability?? This is insane. It is almost analogous
to selling a mail client with no filters! Nobody in their Right Mind does that
anymore. All mail clients these days provide the end user with SOME way of
selectively filtering our ****. Why should browsers be totally devoid of all
`filtering' type features, even in this day and age?
Oh yea, and separately, there should be a user-selectable (preferences) list
of domains for which all http GET operations are suppressed, with the browser
just returning the equivalent of <HTML></HTML> internally instead (i.e. gray
space). WHY DON'T WE HAVE THIS FER CHRISSAKE?? People KNOW that doubleclick is
spying on them, and they DO NOT LIKE IT, but you give them no easy way to
prevent it. Does AOL have have some vested interest or reason for making sure
that end users can't filter out **** they don't wan't to see? Hey! I'm only
asking. I gotta wonder what is going on, because people have been bitching
about these damn pop-up/under ads AND the surrepitious snooping/spying on us
that has been going on for a long long tima now, and yet I haven't heard
ANYTHING about anything that would empower end users to filter this garbage out
themselves. Have I just not been paying attention? Are such features now
available in Mozilla?
Comment 1•23 years ago
|
||
1) You can already block image loads from specific domains. When that's done,
no request is sent for those
images...
2) You can block image loads from sites different from the site that's serving
the page you're loading.
3) You can block calls to window.open(). See the 0.9.2 release notes. See the
0.8.1 release notes for that
matter. Sounds like you'll want to set window.open() to noAccess for all
sites and then selectively enable
access to window.open() for the sites that need it.
> Why doesn't Mozilla... as part of preferences... allow me/everyone to configure
> a personal domain-based filtering list that would apply to the URL given in the
> first argument to any window.open() call?
That's an interesting idea... Mostly because there is no good way to screen
that argument. consider:
window.open("javascript:window.location = 'http://wherever'");
And variants on that. Determining wheter the code ends up redirecting to
somewhere evil is basically impossible.
Oh, you can permanently block cookies from a particular domain as well, iirc.
Over to security:CAPS to decide whether this RFE is feasible...
Assignee: rogerl → mstoltz
Component: Javascript Engine → Security: CAPS
QA Contact: pschwartau → ckritzer
Summary: Need user-selectable filters for javascript:window.open(...) → Need user-selectable filters for the URL passed to window.open(...)
Comment 2•23 years ago
|
||
rfg@monkeys.com: these are excellent points that you make.
You will be interested in bug 75371; also compare bug 29346 -
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 3•23 years ago
|
||
Point #1: Blocking "image" loads (from a given domain, or list of domains) is
obviously only a rather incomplete subset of what I want to do. I want to block
loading on ANY AND ALL material, images or otherwise, from selected domains
and/or subdomains thereof.
Point #2: I do not want to block access to window.open(). I simply want calls
to that function to FAIL, at run-time, if the URL given as an argument in the
call happens to be in a domain that I have selectively blocked. This is
perfectly do-able, and would allow me to block out JUST the annoying pop-ups
generated by, for example, x10.com, and also the ones generated by various porno
web sites that I visit from time to time while researching the e-mail spams they
seem to constantly send to me 9and to everyone).
Point #3: It is nonsensical on the face of it to say that it would be either
impossible or even very difficult for code to be introduced into the browser, at
some sufficiently low level, that would succeed at getting BOTH window.open()
AND also assignments to window.location to simply fail, if and when the
specified URL is in a domain which is on the user's personal blocking list.
At some level, the browser has ahold of the strings in question, and they can
simply be filtered at that level. Assignments to window.location which do not
pass muster against the user's configured filters could be transparently and
automagically replaced with something else entirely, e.g. some special code like
"devnull:deadend", which would be interpreted internal to the browser to mean
nothing/grayspace. (I would prefer grayspace over ANYTHING that might be sent
down my line from doubleclick.)
If we can put a man on the moon, I suppose that we can do this. It ain't that
bloody difficult.
P.S. My JavaScript book is very out-of-date, and I may perhaps be wrong about
this, but it seems to indicate that the first argument in any call to
window.open() must be an actual URL. If so, that makes your example of:
window.open("javascript:window.location = 'http://wherever'");
completely bogus.
P.P.S. I should really look at whatever document contains the definitive
reference for JavaScript before I ask this question, but is window.open() EVER
defined to FAIL?
If not, that seems like a big mistake in the language definition to my way of
thinking. Every function should have some way of returing back a well-defined
failure code, just in case. (The book I have doesn't seem to indicate that
window.open() is ever defined to fail, OR that programs should even check for
such a possibility. Perhaps the book is just wrong?)
Reporter | ||
Comment 4•23 years ago
|
||
bug 75371 is clearly quite relevant, but I'll need to go and research all of the
relevant other material connected to that.
I'm a little bit worried that the discussion of bug 75371 heads off in the
direction of functionality that nobody really wants however. If I'm visiting
www.news.com or www.cnn.com, then I _do not_ want to disable the creating of new
windows while browsing those sites entirely. If CNN wants to put up a pop-up
window that explains in more detail, say, the technology of the new artificial
heart that was implanted in some volunteer a few weeks ago, then yes, I *do*
want to see that pop-up window. But if they try to get a window for some page
over at x10.com to pop up, then I want to have THAT ONE be suppressed. Likewise
if any new pop-up window has source coming from doubleclick.com, or any
subdomain thereof, then I want THAT pop-up suppressed, ideally, silently and
without ANY interaction from me.
In short, what I want, and what I believe most people want is NOT a way to
disable window.open() entirely when visiting certain *real* content sites, e.g.
cnn.com. Rather, we want a way to continue to view all of the real content on
those sites INCLUDING POP-UPS, while filtering out only the garbage that we
know, from past experience, we don't want... like for example anything from
x10.com.
Assignee | ||
Comment 5•23 years ago
|
||
Ronald,
Good points. We've considered point #1 above in the mail/news case as bug
28327. The general problem of gathering data on users through server hits (for
IMG tags, etc.) is known as the Web bug. We're working on a solution for that,
but it'll probably be a while. Know anyone who can code and is interested in
helping write a solution? We've got some basic framework (nsIContentPolicy) in
place.
We have, to this point, been considering ways of preventing 'blacklisted' sites
from calling window.open entirely. I hadn't thought of blocking based on what
URL the script is trying to open. I believe this wouldn't be very effective,
though. Doubleclick and other ad sites often use the technique of serving their
ads through the host site's domain name. For example, an ad embedded in a Yahoo
page but served by Doubleclick will often have a URL such as
ads.yahoo.com/annoyingad.gif. Doubleclick simply asks yahoo to configure their
DNS server to resolve ads.yahoo.com to the IP address of Doubleclick's server.
This is done in many cases to foil ad and cookie filters. It's actually kinda
hard to tell which URLs are ads and which are legit. Because of this, I don't
think filtering based on the argument to window.open would be all that effective.
This still leaves us with the dilemma of allowing legitimate window.open's, such
as helpful popups, while blocking popup ads. A possible solution is Jesse's
proposal of allowing window.open only in response to a user click, not an onLoad
or onUnload event, etc.
> P.S. My JavaScript book is very out-of-date, and I may perhaps be wrong about
> this, but it seems to indicate that the first argument in any call to
>window.open() must be an actual URL. If so, that makes your example of:
> window.open("javascript:window.location = 'http://wherever'");
> completely bogus.
Actually no, that's perfectly valid code in Mozilla. Did you try it?
> P.P.S. I should really look at whatever document contains the definitive
> reference for JavaScript before I ask this question, but is window.open() EVER
> defined to FAIL?
Sure, it can fail. If the security manager disallows it, it will throw an
exception, which can be caught by the script. If it's not caught, it stops the
execution of the script.
Assignee | ||
Comment 6•23 years ago
|
||
> Does AOL have have some vested interest or reason for making sure
> that end users can't filter out crap they don't wan't to see?
If I had a nickel for every time someone superciliously suggested that the
absence of some key feature is due to some sort of AOL conspiracy, I wouldn't
have to work here anymore. This is not AOL, this is Mozilla.org you're posting
to, which has hundreds of non-AOL contributors. We already have the ability to
block window.open per-site, which as you pointed out is not a perfect solution,
but it's more than the competition has, and we're working on improvements, with
your help.
> If we can put a man on the moon, I suppose that we can do this. It ain't that
> bloody difficult.
Who is this 'we' you refer to? As I mentioned above, distinguishing ads from
other content can in fact be bloody difficult. But this is an open source
project, so since this issue is obviously of great concern to you, why not help
us figure out how to actually do it?
Assignee | ||
Comment 7•23 years ago
|
||
Nothing much new here that isn't covered in other bugs, and I think we agree
that filtering based on the target URL is not very effective, so I think this is
a WONTFIX. Please reopen if you disagree.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX
Comment 8•23 years ago
|
||
> P.P.S. I should really look at whatever document contains the definitive
> reference for JavaScript before I ask this question, but is window.open() EVER
> defined to FAIL?
Sure. window.open() returns a handle to the newly created window. If it
returns null, it failed to open a window. There is also the case of
window.open() throwing an exception, as Mitchell pointed out.
Reporter | ||
Comment 9•23 years ago
|
||
mstoltz@netscape.com wrote:
>I hadn't thought of blocking based on what
URL the script is trying to open. I believe this wouldn't be very effective,
though. Doubleclick and other ad sites often use the technique of serving their
ads through the host site's domain name.
I have _never_ seen such a case. Can you point me to one? I personally have
difficulty believing that this ever happens, since I have never seen it. And in
any case, even if there are some such cases, I beleiev that will be the
exceptions that prove the rule.
Assignee | ||
Comment 11•23 years ago
|
||
Look at the ad URLs on the New York Times, Yahoo, and lots of other major sites.
Many do contain the word "ads" somewhere, but none say Doubleclick, and all are
served from the same domain as the rest of the page.
Anyway, you'd best believe that if people started blocking ads based on domain
alone, Doubleclick and the rest would all step up their use of the technique I
described above. They're not stupid.
This is a complicated problem, and I welcome your help in solving it. Just don't
accuse us of failing to solve a "simple" problem.
You need to log in
before you can comment on or make changes to this bug.
Description
•