So is it just me, or are there a couple of billion other people who, like me, are also sick to death of these extraordinarily irritating pop-up and pop-under ads, AND the spying on us that Doubleclick is doing, day in and day out? OK, let's just deal with the issue of the pop-up/pop-under ads for the moment. Why doesn't Mozilla... as part of preferences... allow me/everyone to configure a personal domain-based filtering list that would apply to the URL given in the first argument to any window.open() call? If I had that, then you can bet your booty that I'd filter out all ads from x10.com, toot sweet... and so would everyone else on the planet! (Those people have gotten in my face once too often and now I'm hopping mad!) So why don't we have this capability?? This is insane. It is almost analogous to selling a mail client with no filters! Nobody in their Right Mind does that anymore. All mail clients these days provide the end user with SOME way of selectively filtering our ****. Why should browsers be totally devoid of all `filtering' type features, even in this day and age? Oh yea, and separately, there should be a user-selectable (preferences) list of domains for which all http GET operations are suppressed, with the browser just returning the equivalent of <HTML></HTML> internally instead (i.e. gray space). WHY DON'T WE HAVE THIS FER CHRISSAKE?? People KNOW that doubleclick is spying on them, and they DO NOT LIKE IT, but you give them no easy way to prevent it. Does AOL have have some vested interest or reason for making sure that end users can't filter out **** they don't wan't to see? Hey! I'm only asking. I gotta wonder what is going on, because people have been bitching about these damn pop-up/under ads AND the surrepitious snooping/spying on us that has been going on for a long long tima now, and yet I haven't heard ANYTHING about anything that would empower end users to filter this garbage out themselves. Have I just not been paying attention? Are such features now available in Mozilla?

1) You can already block image loads from specific domains. When that's done, no request is sent for those images... 2) You can block image loads from sites different from the site that's serving the page you're loading. 3) You can block calls to window.open(). See the 0.9.2 release notes. See the 0.8.1 release notes for that matter. Sounds like you'll want to set window.open() to noAccess for all sites and then selectively enable access to window.open() for the sites that need it. > Why doesn't Mozilla... as part of preferences... allow me/everyone to configure > a personal domain-based filtering list that would apply to the URL given in the > first argument to any window.open() call? That's an interesting idea... Mostly because there is no good way to screen that argument. consider: window.open("javascript:window.location = 'http://wherever'"); And variants on that. Determining wheter the code ends up redirecting to somewhere evil is basically impossible. Oh, you can permanently block cookies from a particular domain as well, iirc. Over to security:CAPS to decide whether this RFE is feasible...

rfg@monkeys.com: these are excellent points that you make. You will be interested in bug 75371; also compare bug 29346 -

Point #1: Blocking "image" loads (from a given domain, or list of domains) is obviously only a rather incomplete subset of what I want to do. I want to block loading on ANY AND ALL material, images or otherwise, from selected domains and/or subdomains thereof. Point #2: I do not want to block access to window.open(). I simply want calls to that function to FAIL, at run-time, if the URL given as an argument in the call happens to be in a domain that I have selectively blocked. This is perfectly do-able, and would allow me to block out JUST the annoying pop-ups generated by, for example, x10.com, and also the ones generated by various porno web sites that I visit from time to time while researching the e-mail spams they seem to constantly send to me 9and to everyone). Point #3: It is nonsensical on the face of it to say that it would be either impossible or even very difficult for code to be introduced into the browser, at some sufficiently low level, that would succeed at getting BOTH window.open() AND also assignments to window.location to simply fail, if and when the specified URL is in a domain which is on the user's personal blocking list. At some level, the browser has ahold of the strings in question, and they can simply be filtered at that level. Assignments to window.location which do not pass muster against the user's configured filters could be transparently and automagically replaced with something else entirely, e.g. some special code like "devnull:deadend", which would be interpreted internal to the browser to mean nothing/grayspace. (I would prefer grayspace over ANYTHING that might be sent down my line from doubleclick.) If we can put a man on the moon, I suppose that we can do this. It ain't that bloody difficult. P.S. My JavaScript book is very out-of-date, and I may perhaps be wrong about this, but it seems to indicate that the first argument in any call to window.open() must be an actual URL. If so, that makes your example of: window.open("javascript:window.location = 'http://wherever'"); completely bogus. P.P.S. I should really look at whatever document contains the definitive reference for JavaScript before I ask this question, but is window.open() EVER defined to FAIL? If not, that seems like a big mistake in the language definition to my way of thinking. Every function should have some way of returing back a well-defined failure code, just in case. (The book I have doesn't seem to indicate that window.open() is ever defined to fail, OR that programs should even check for such a possibility. Perhaps the book is just wrong?)

bug 75371 is clearly quite relevant, but I'll need to go and research all of the relevant other material connected to that. I'm a little bit worried that the discussion of bug 75371 heads off in the direction of functionality that nobody really wants however. If I'm visiting www.news.com or www.cnn.com, then I _do not_ want to disable the creating of new windows while browsing those sites entirely. If CNN wants to put up a pop-up window that explains in more detail, say, the technology of the new artificial heart that was implanted in some volunteer a few weeks ago, then yes, I *do* want to see that pop-up window. But if they try to get a window for some page over at x10.com to pop up, then I want to have THAT ONE be suppressed. Likewise if any new pop-up window has source coming from doubleclick.com, or any subdomain thereof, then I want THAT pop-up suppressed, ideally, silently and without ANY interaction from me. In short, what I want, and what I believe most people want is NOT a way to disable window.open() entirely when visiting certain *real* content sites, e.g. cnn.com. Rather, we want a way to continue to view all of the real content on those sites INCLUDING POP-UPS, while filtering out only the garbage that we know, from past experience, we don't want... like for example anything from x10.com.

Ronald, Good points. We've considered point #1 above in the mail/news case as bug 28327. The general problem of gathering data on users through server hits (for IMG tags, etc.) is known as the Web bug. We're working on a solution for that, but it'll probably be a while. Know anyone who can code and is interested in helping write a solution? We've got some basic framework (nsIContentPolicy) in place. We have, to this point, been considering ways of preventing 'blacklisted' sites from calling window.open entirely. I hadn't thought of blocking based on what URL the script is trying to open. I believe this wouldn't be very effective, though. Doubleclick and other ad sites often use the technique of serving their ads through the host site's domain name. For example, an ad embedded in a Yahoo page but served by Doubleclick will often have a URL such as ads.yahoo.com/annoyingad.gif. Doubleclick simply asks yahoo to configure their DNS server to resolve ads.yahoo.com to the IP address of Doubleclick's server. This is done in many cases to foil ad and cookie filters. It's actually kinda hard to tell which URLs are ads and which are legit. Because of this, I don't think filtering based on the argument to window.open would be all that effective. This still leaves us with the dilemma of allowing legitimate window.open's, such as helpful popups, while blocking popup ads. A possible solution is Jesse's proposal of allowing window.open only in response to a user click, not an onLoad or onUnload event, etc. > P.S. My JavaScript book is very out-of-date, and I may perhaps be wrong about > this, but it seems to indicate that the first argument in any call to >window.open() must be an actual URL. If so, that makes your example of: > window.open("javascript:window.location = 'http://wherever'"); > completely bogus. Actually no, that's perfectly valid code in Mozilla. Did you try it? > P.P.S. I should really look at whatever document contains the definitive > reference for JavaScript before I ask this question, but is window.open() EVER > defined to FAIL? Sure, it can fail. If the security manager disallows it, it will throw an exception, which can be caught by the script. If it's not caught, it stops the execution of the script.

> Does AOL have have some vested interest or reason for making sure > that end users can't filter out crap they don't wan't to see? If I had a nickel for every time someone superciliously suggested that the absence of some key feature is due to some sort of AOL conspiracy, I wouldn't have to work here anymore. This is not AOL, this is Mozilla.org you're posting to, which has hundreds of non-AOL contributors. We already have the ability to block window.open per-site, which as you pointed out is not a perfect solution, but it's more than the competition has, and we're working on improvements, with your help. > If we can put a man on the moon, I suppose that we can do this. It ain't that > bloody difficult. Who is this 'we' you refer to? As I mentioned above, distinguishing ads from other content can in fact be bloody difficult. But this is an open source project, so since this issue is obviously of great concern to you, why not help us figure out how to actually do it?

Nothing much new here that isn't covered in other bugs, and I think we agree that filtering based on the target URL is not very effective, so I think this is a WONTFIX. Please reopen if you disagree.

> P.P.S. I should really look at whatever document contains the definitive > reference for JavaScript before I ask this question, but is window.open() EVER > defined to FAIL? Sure. window.open() returns a handle to the newly created window. If it returns null, it failed to open a window. There is also the case of window.open() throwing an exception, as Mitchell pointed out.

mstoltz@netscape.com wrote: >I hadn't thought of blocking based on what URL the script is trying to open. I believe this wouldn't be very effective, though. Doubleclick and other ad sites often use the technique of serving their ads through the host site's domain name. I have _never_ seen such a case. Can you point me to one? I personally have difficulty believing that this ever happens, since I have never seen it. And in any case, even if there are some such cases, I beleiev that will be the exceptions that prove the rule.

Marking VERIFIED WONTFIX.

Look at the ad URLs on the New York Times, Yahoo, and lots of other major sites. Many do contain the word "ads" somewhere, but none say Doubleclick, and all are served from the same domain as the rest of the page. Anyway, you'd best believe that if people started blocking ads based on domain alone, Doubleclick and the rest would all step up their use of the technique I described above. They're not stupid. This is a complicated problem, and I welcome your help in solving it. Just don't accuse us of failing to solve a "simple" problem.