<$BlogRSDURL$>
Proceeds from the ads below will be donated to the Bob Wuesthoff scholarship fund.

Monday, February 21, 2005

Tech Rant: The Undead Popup Ad

Chagrined

After spending column space Thursday raving about Firefox, I now have to be a little chagrined, because just after I wrote that, I started getting barraged by more popup ads. Wuzza? Turns out the sneaky popup advertisers have struck again, and have started taking advantage of certain loopholes. Slashdot caught hold of this yesterday; there appear to be two main issues that I'll discuss in the next section. Non-geeks can safely skip ahead without harm; I'll get to the actual fixing of things in a bit.

The Two Vulnerabilities

First, a little background on how popups and popunders work. Most of the time, these are simply requests run with a given page's onload event, attached to the body. Early popup blocking technology, therefore, focused primarily on that interaction, and it was generally successful. However, some requests to create new external windows are legitimate, and so blocking popups wasn't quite as straightforward. In general, the modern popup/under blocking strategy is to deny popups except in cases where the user has specifically clicked something.

This, too, has its problems. Consider this Javascript, kindly provided in the aforementioned Slashdot thread. (You can see this in action here.)

<html>
<head>
<title>Test Page</title>
<script type="text/javascript">
function goLink(t1, t2){
  window.open(t1, "pop1", "name=a1,width=400,height=400,left=10,top=10");
  window.open(t1, "pop2", "name=a2,width=400,height=400,left=40,top=40");
  window.open(t1, "pop3", "name=a3,width=400,height=400,left=70,top=70");
  window.open(t1, "pop4", "name=a4,width=400,height=400,left=100,top=100");
  window.open(t1, "pop5", "name=a5,width=400,height=400,left=130,top=130");
  window.location = t2;
}
</script>
</head>
<body>

<A HREF="javascript:goLink('http://www.google.com',
            'http://www.google.com')">Go To Google.com</A>
</body>
</html>
The other issue -- and a far more pernicious one -- seems to be Javascript DOM crawling. The DOM -- the Document Object Model -- describes how the guts of a webpage are supposed to be rendered. Internal to that are the events that can cause popups and popunders. Even if a link doesn't have an onclick event attached to it, a DOM crawler can create one and execute it when you link out -- thereby bypassing popup blocking. (Thanks to this link for the info.)

Of course, another cause of popups/unders is spyware; for that you need to use AdAware, but if you've already got malware on your machine, you may have to do what I ended up doing and reinstall Windows -- or better still, ditch your Microsoft desktop and go to Linux.

Needless to say, this sudden burst of success has gotten the advertisers going all Pavlovian again. Paypop, one of the earliest agencies to discover DOM crawling, has this to say on their FAQ page:

Q. I am also tracking the stats myself, why there is count discrepancy?
A. Generally, there are some factors that may affect the counting: 1. Internet surfer's connection speed. 2. How the publisher setup their codes. 3. Network issues 4. Pop killer/blocker for popunders. However, popunder's count discrepancy is usually about 15%-35% (due to pop blockers, we have already by passed windows SP2, google toolbar,MSN and norton internet security,Gecko/Firefox,Netscape,Opera), in-page banner is about 5%-10%, and popin banner/interstitial is about 7-15%. If you are seeing a count discrepancy greater than 25%, please contact our publisher support immediately because that is un-normal.

...

Q. Can your popunder code by pass pop blockers?
A. Yes, our system is capable of bypassing SP2 and most of the pop-up blocker out there. However there are still some new pop-up blockers that we may not recognize, please inform us those pop-up blockers so we can improve our system.

They're out there, they're selling it, and they're mean. (Thanks to this Mozillazine thread for that link.) They know they're being antisocial jerks, they don't care, and they want to make money by annoying you. How rotten is that?

What To Do?

So at this moment, the bottom line is that Firefox's anti-popup blocking tech is a little behind the times. I don't expect it to stay that way for long; if anything, Firefox is much more user-driven than IE. Until DOM crawling can be shut down, here's some things you can do: As they say on Slashdot, Hope That Helps.

Labels:


Comments:

Post a Comment

Note: Only a member of this blog may post a comment.



Newer›  ‹Older
This page is powered by Blogger. Isn't yours?
Google

WWW 6-4-2