The Return Of The Pop-Up Ad

SYFer writes "Shortly after upgrading my Macs to OS X 10.3.8, I noticed that I was getting pop-up ads on Safari. It had been so long since I'd seen a pop-up, I completely forgotten how annoying they can be. I went over to Apple's Support site to see if there was a relationship, but learned that the timing is just a coincidence (even though there's a lot of the usual FUD and flailing of arms in the discussion forums). In fact, it turns out that the pop-up advertisers (what's the proper denigrating term here?) have finally defeated the pop-up blocking functionality found in many browsers. MacFixIt is running a front page article on the topic and says 'Contrary to initial reports, this problem isn't limited to Safari; subsequent reports have noted pop-under ads victimizing a number of browsers that provide pop-up-blocking features, including the latest versions of Safari, FireFox, Mozilla, OmniWeb, and Camino.'"

I don't see a problem here...

[IO+ERROR]

Hm, Firefox's built-in pop-up blocking hasn't yet failed to block a pop-up ad, and the Adblock extension has gotten all the rest, once the offending sites were added to its blacklist. I rarely see an ad anymore, of any type, unless I'm looking for it.

In any event, it's going to be something of an arms race between advertisers and pop-up blockers. Ideally, these jerkwad marketers should realize that people using pop-up blockers do not want to see their ads and display them to someone else who does want to see them. If they can find anyone like that.

How it mostly works

[BWS]

Fundamentally, most browsers allows popup if it is cuased by a click. (eg, you click on a link and a popup window occurs).. So what they have done is figured around that. They wrap all links around javascript calls, it changes your current page to the new destination and popups up a new window (that's an ad). Here's some code I did that popups up 5 windows in Firefox..

<html>
<head>
<title>Test Page</title>
<script type="text/javascript">
function goLink(t1, t2){
window.open(t1, "pop1", "name=a1,width=400,height=400,left=10,top=10");
window.open(t1, "pop2", "name=a2,width=400,height=400,left=40,top=40");
window.open(t1, "pop3", "name=a3,width=400,height=400,left=70,top=70");
window.open(t1, "pop4", "name=a4,width=400,height=400,left=100,top=100");
window.open(t1, "pop5", "name=a5,width=400,height=400,left=130,top=130");
window.location = t2;
}
</script>
</head>
<body>

<A HREF="javascript:goLink('http://www.google.com','h ttp://www.fark.com')">Go TO Fark.com</A>
</body>
</html>

Re:How it mostly works

[dgatwood]

That's not quite how they do it, though you're close. The websites that end up generating these pop-ups don't have any javascript in the links. They're being blown in by banner ads using an onload or other similar routine and then walking the DOM and adding an onclick property to (or possibly adding javascript to the href property of) various random anchors throughout the page.

Generally speaking, if javascript adds an onclick to a link that didn't have one in the original page contents, this should not be allowed to occur. Further, if javascript attempts to open a window as a result of clicking on a link whose HREF is a javascript link, the original page content prior to javascript DOM manipulation should be checked, and if the original contents were not a javascript HREF, the pop-up should be blocked.

Fix those two problems, and these pop-up ads should become a fading memory... at least until they come up with the next gross mechanism to do it....

Re:How it mostly works

[orthogonal]

Proxomitron regexes can be written to get around this.

While I don't have one that does exactly this, I do have one for the more common "send the real url as a GET parameter" -- Fark.com and yahoo.com like to do this. An example from fark:

http://go.fark.com/cgi/fark/go.pl?
IDLink=13658 27&location=http%3A%2F%2Fnypost.com%2F news%2Fregionalnews%2F40168.htm

So rather than go directly to the NYPost, you hit Fark first, and Fark get to tell its advertisers, look at all the clicks on our links. It also means most clicks take a good long time, to hit fark and be redirected.

The Proxomitron regex not only makes the url the real url, it adds an "[orig]" link in a small red font, just in case it really is necessary (as on Yahoo) to go via the redirecting link.

Here's the regex:
Match: <a (*href=)\0("|)\1(*(/|\?)*)\2(('|)http(%3A|:)(%2F|/ )+)\3([^&;=>"*]+)\4\5("|)>
Replace: <a \0\1\2\3\4\5\1><font size=1 color=red>[orig]</font></a>\r\n
<a $UESC(\0\1\3\4\1)>

The nice thing about Proxomitron is that I not only don't get pop-ups, I also don't even get many embedded adds.

For example: on Washingtonpost.com's front page, I see only text adds. Bypassing Proxomitron (it's done with a bookmark) shows me three additional ads in Firefox, but even bypassed I don't see many, as I have a second proxy behind Proxomitron to filter out the "always bad" sites like doubleclick.

From where I sit, the web is a calm place with no pop-ups, no annoying ads, no distractions.

Adblock and Firefox

[MightyPez]

Lately I've been hearing complaints by people using Firefox of some sites having pop-ups come up again. The biggest complaint coming from people that visit The Drudge Report. I too have seen them.

However, ever since I started using the Adblock extension, as well as keeping an updated list of definitons, I haven't had these problems lately.

Re:Science Blog

[servoled]

Pop-up free for me, but adblock did block two javascript items which is probably why. With a combination of adblock and userContent.css in firefox I'm still pop-up ad free.

You might want to try something similar. If things get really desparate, using an blocking HOSTS file can help as well.

Re:Science Blog

[HangingChad]

I just tried that URL but don't see any pop ups. I'm also running Firefox 1.0 on Xandros.

In the arms race between pop ups and browser, I'll put my money on the Firefox team. There's no way to win the pop up battle against open source. Against MSFT, certainly. They develop at the speed of glacier.

I'm guessing the first couple pop ups the Firefox developers see they'll be writing a fix.

Re:Drudge

[dspeyer]

The drudge-report page self-modifies to include the javascript at:
http://z1.adserver.com/w/cp.x;rid=52;tid=4;ev=1;dt =1;ac=26;c=209;
That javascript changes each time you load it (I think there are only a handful and the server picks one pseudorandomly). This means that sometimes it will hit you with popups, and sometimes it won't.

The code is obfuscated and I haven't sorted through it. The easy way to block it is to redirect z1.adserver.com in you /etc/hosts or block it at your firewall.

You may need to click on a link in order to experience the popup, though the links themselves are legitemate http hrefs.

Solution

[brsmith4]

A solution to this is to install the AdBlock extension for Mozilla/Firefox. Once you've done this, grab this list of search strings. Once you've done this, import the text file and you should be home free. Try to keep that file updated as it should be a good starting-off point, but will become outdated as time goes by.

How to not get pop-ups and keep your javascript on

[Penguin+Follower]

Just turn off javascript in the browser you use. If a site requires javascript then don't go there.

That is not a viable option. 95% of the sites I (and almost every other web user) visit use javascript in some way, shape, or form. I don't want to take the mindset of "Flash is evil, images are a waste of bandwidth, java is pathetic (even though it is, but that's beside the point). The Internet is full of crap so I should just use Lynx." I like to see things other than plain text and images. I can deal with a couple of pop-up ads here and there until the next version of Firefox comes out.

Well, here is what I do in Firefox. I haven't received any pop-ups (yet). In the options dialog, under "Web Features" you'll find that on the far right across from the "Enable Javascript" checkbox is a button that says, "Advanced."

"Allow scripts to: " (remove check marks next to the following)

• "Move or resize existing windows"
• "Raise or lower windows"
• "Disable or replace context menus"

I also uncheck "Hide the status bar" but that's a personal preference.

After unchecking those along with having the pop-up blocker enabled I no longer get any pop-ups. And I really don't see unchecking those having any profound viewability problems on the web. If a site needs to resize your window, it's usually because they want to open a pop-up along side it. :P Same goes for raising/lowering too.

Re:been seeing this a while

[Curtman]

I don't doubt that an update or plugin will be made soon to stop even these, if one's not already out and I just haven't noticed.

Setting 'browser.block.target_new_window' to true in about:config seems to work, I haven't noticed any.

Re:Example of a site that has it

[bleeware]

The 'popup' at the Hidustan Times link does not create a new browser window. The popup content is displayed on top of the html content using a CSS layer. --Bruce

Re:Science Blog

[CastrTroy]

Wow. Kind of weird. Firefox says the add was blocked. After a little while though, it pops under. I've never seen this before, so I decided to investigate. Seems it pulls some javascript file from some other domain. Fastclick.net in this case. Is there a tool that blocks the site from bringing scripts in from other domains? Like blocking images from other domains? This would probably stop a lot of the problems.

Re:been seeing this a while

[ticktockticktock]

I found the following adblock filter on slashdot somewhere, but don't have the reference handy, so I just copied/pasted my copy. There should be no spaces in any of the lines, and all lines start with / and end with /. There are some false positives with these rules on some sites. But for most other sites, you just don't see ads on pages anymore. (I am not sure how well these rules would work against popup ads though.)

[Adblock]
/\/(ad|commercial|marketing|promo(tion) ?|shop|sponsor)s?\//
/((double|fast|ad)click|clic k(xchange|sor))/
/(page|side|text)_?ads?/
/rcm.* \.amazon/
/(adsdk|a1\.yimg|akamai|amznxslt|atdmt| atwola|bilbo\.counted|bizrate|bonnint|brides\.ru|e dge\.ru|hitbox|falkag|maxserving|promote\.pair|rea lmedia|santa\.imho|servedby|spinbox|tribalfusion|q ksrv|zedo)/
/\/ads?(\.[\w]*){2,3}\//
/(ima?ge?|a d)serv/
/(ad|banner|sponsor)s?_?(id|ima?ge?|[0-9] *x[0-9]*)/

Re:Science Blog

[CastrTroy]

oh, one more thing. Fill in a url querystring parameter to that url, and you get a popup with that address. For example: http://cdn.fastclick.net/fastclick.net/ffp.swf?url =http://www.google.ca

Re:been seeing this a while

[koreaman]

Site with popups
Note that it doesn't always pop-up.

Dude, you are so out of touch:-)

[khrtt]

Haven't you heard of gmail?

Are you really going to complain loudly to the webmaster of every little javascript-based site you want to use and wait for them to redo the site?

Do you realize that many sites are actually faster with javascript on, because there is a non-trivial application running on the client site, and it needs to download no (or very little) data for many of the requests, as opposed to loading the whole damn page every time you want to change the width of a column in a table?

Mod parent up

[Headius]

This is very useful. It's worth noting, also, that removing all "allowed" popup events doesn't completely kill your ability to use sites that need popups...it just causes Firefox to warn you that it has blocked something, allowing you to adjust settings for that site.

Seems to have fixed all those new popups for me.

Re:been seeing this a while

[ArcCoyote]

Zophar and other sites that pop in Firefox seem to be using javascript that traps the click and mouseup methods on all links. If they don't get you when you click, they get you when you let up on the button. Technically, these are user-initiated pops, so FF doesn't block them.

You don't have to kill all allowed events, just hash out click and mouseup.

dom.popup_allowed_events = "change #click dblclick #mouseup reset submit" works well and still alows legitmate popups when you click form buttons and other user-requested behavior.

As always, you can always allow a site you need popups on.

Re:been seeing this a while

[elfurbe]

It's worth noting, though, that target="_blank" is deprecated in XHTML strict. If you're trying to write strictly compliant web pages (that is, XHTML 1.0 Strict/1.1), there's no answer except javascript for firing off a new window.

That said, I like the idea of NO popups of ANY sort without authorization. As long as Firefox clues me in that it stopped a popup so I can approve the site, I'm in. Though, I'd like to see a "one time" authorization. As in, I'm on some website I don't intend to be at again, I need to see one popup to complete some task, and that's it. I don't want it on my whitelist, I just want to see the one popup. Sort of like a firewall. Do I want to allow this: once, always, not this time, never.

Re:been seeing this a while

[bahamat]

I actually spent several hours researching this because I was getting them in Firefox on OS X, but not Safari or Firefox on Linux. When my roommate started getting them on Linux I was quite surprised.

In every case I eventually tracked it down to either Flash or Java objects loaded into a page that requested a window be opened. Also in every case it seemed to be a well known advertising site that the object originated from.

The reason I never got any in Safari but did in Firefox is because I use Safari as my main browser so I've got PithHelmet installed, which comes with a healthy list of things to block, whereas I use Firefox only for testing so I've got little to nothing listed in my AdBlock rules. At work where I use a Linux desktop I have a healthy list of AdBlock rules.

If you're concerned about your privacy, avoiding ads, or popups you need to have at minimum AdBlock, CookieCuller and X installed for Firefox. If you're using Safari, PithHelmet is absolutely the best.

Code example

[theolein]

I too noticed this, but contrary to most, realised that they must simply be doing what has been possible for a long time but which no one had really bothered with, with the exception of porn sites and other spyware "value adders", until now.

Basically, it just uses the age old technique of using the document.write method, but obfuscated, to write other, obfuscated tags which are not recognized by the blocker as being new script tags, which themselves call a new obfuscated pop.js code that actually, in yet another round of obfuscation, produces the actual pop-under code: In essence, if one can block any request for the server of the obfuscated pop.js, or pop.cgi or whatever code, one will be in peace for a while. This can be done via adding the following lines to the hosts file on Windows (C:Windows(or WinNT)\System32\drivers\etc\HOSTS) or on Linux or MacOSX (/etc/hosts) or simply via your firewall software, which I'm sure we all use, don't we?

127.0.0.1 www.fastclick.net
127.0.0.1 media.fastclick.net

I have the code from the above server, as used by scienceblog.com, but I won't post it, as it's copyrighted, because the last thing I want is some internet low life trying to sue me for their own low life purposes.

Bugzilla bug #253831 for Firefox

[Val314]

if you see PopUps in Firefox, please file them here : https://bugzilla.mozilla.org/show_bug.cgi?id=25383 1 (no link, Bugzilla doesnt like /. links)

Re:This isn't that serious

[Mant]

Go look at Google maps and Gmail. You can do some really good stuff now with Javascript, particularly as you can make a request back to the server with it and update part of the page without a reload.

Like any web tech it can be abused, but if you are a half decent developer the reason you are putting in JavaScript is to make the app a better experience for the user.

Maybe you want a world of basic pages and lots orf reloads, but most user seem not to.

FIX FOR FLASH POPUPS

[Barbarian]

https://bugzilla.mozilla.org/show_bug.cgi?id=17607 9

- go to about:config
- right-click and select New/Integer preference
- make a pref called "privacy.popups.disable_from_plugins"
- set the value 2

Now plugins are treated just like javascripts trying to open popups--they get blocked by the popup blocker. You have the option then to show the popup or to allow them for that site if you want.

Re:Overcome this.

[pizza_milkshake]

flashblock replaces all flash with an (F) icon, which can be clicked, enabling the flash to play. 99% of the time i don't want flash, but in the case of strongbad, of course, i click :)