The apis used to control focus should just be put behind a permission, as microphone/camera access etc. are. If a site wants to control window focus, I should have to explicitly allow it.

No focus APIs are necessary to implement pop-unders.

AFAIU, the way modern implementations work, is that they make some link (occasionally the entire body) a target=_blank link, which points to some other part of the website. This causes the link target to appear in a new tab. Now, the original tab has its contents changed to that of an ad; when the user finishes browsing the website and closes the newly-opened tab, they will see the "pop-under" tab (which is actually the original tab the user entered the website with).

Wouldn't this be noticeable in the form of a new tab opening? For example TripAdvisor does pop unders which are unnoticeable until you realize that there is a window (Not a tab even though my settings say to open links in New tabs, never windows) underneath your current window

Couldn't this be avoided by refusing to run onclick/similar events for target=_href links?

Unfortunately, preventing those events from running code could be easily programmed around, if, as I assume you mean, you let the rest of javascript run as normal. If you're trying to run code in response to someone clicking on link A but the browser had disabled onclick for link A, you could still register an onclick for the entire page and in that listener examine the coordinates of the mouse to see if it's over link A and then run code "in response" to the click. This is just one of countless ways you could get around the rule I'm sure.

Maybe the browser itself should have more efficient anti-clickjacking tech, such as blacklists and spam classifiers. Users should be able to block all popups from a specific site when protection doesn't work well automatically.

Hm, but if you open a new tab via a click, that does not get focus by default. So the it's not really a pop under.

For Google to do this, there is a competition aspect to it. Pop-unders compete with Google.

That said, something needs to give. Particularly disturbing is news sites. Otherwise reputable news sites are willing to put up the sleaziest "monetization" on their sites. Pop unders, pop overs and extremely dishonest advertising, especially under the "native ads" umbrella. Many of these are advertising fake news, fake products, fake customer stories.

There is such a thing as advertising standards, where advertising standards. It works differently in every country, but the mechanism is generally 2-fold. (1)Some sort of advertising authority regulates the media side: they can complain/accuse TV stations or print papers. (2)Regulated industries (drugs, financial services) have a regulator that holds them to advertising standards. This part still works, but no one seems to have the ability/jurisdiction to complain about online advertising.

At the very least, I'd like to see national advertising standards authorities ban the use of certain ad aggregotors on local news sites, if they violate advertising standards. Many of these ads are ilegal anyway, I think.

wouldn't it be better to just find a way to prevent pop-unders in the first place. Why is it so hard to thwart them? All these sites use the same script that evades the popup blocker built into chrome yet none of google's 1000's of engineers can do anything about it apparently.

>All these sites use the same script that evades the popup blocker built into chrome yet none of google's 1000's of engineers can do anything about it apparently.

Because it's really hard to differentiate between legit popups (that the user wants) and popups that are unwanted.

https://en.wikipedia.org/wiki/Pop-up_ad#Pop-under_ads

Why would anyone ever want a pop-under for any reason? I would be satisfied with a solution that turned any pop-under into a pop-up.

That's actually an interesting point. I wonder how many sites would be broken by disabling methods that shift window focus, like Window.focus() and Window.blur()? Probably not many...

Every bank website I've used so far does forced pop ups, as well as websites that want you to authenticate yourself using some other service (such as Google, or Facebook.)

Pop ups are reasonable. The pop unders are what google is saying are user unfriendly.

They might be, but the person I was replying to wanted to disable all methods that shift window focus. It won't work, at least as of right now.

When a window is created (with Window.open, or from a link with target="_blank"), it implicitly gets focus. That part wouldn't change.

> Every bank website I've used so far does forced pop ups

But why do they do this? I have yet to have someone give me a good explanation.

It's done to escape from iFrame jail attempts. Rogue site loads bank site in iFrame, end user types in their password...

Browsers are not supposed to let javascript access the DOM or events in a cross-domain iframe, is that not correct?

Correct, but it's still possible for the parent page to overlay invisible textboxes and buttons in order to capture input.

Wow, what a tire fire the web has turned out to be.

Can we just throw the whole thing out and start over? I miss the 90s...

Why not implement a good 2FA then to avoid the problem entirely? The way I see it if someone can steal your bank login details using iframes as a weapon then the bank is doing something wrong. Banning pop-ups entirely would force the banks to shape up

Isn't it easier to set X-Frame-Options to deny or sameorigin?

Yes, absolutely. But that didn't work on some older browsers (like MSIE7 and earlier), so some sites settled on weird "solutions" like this one...

No idea. It just gets caught by the pop-up blocker for me. I end up just copy-pasting the URL over into a new tab, somehow.

A lot of times you see self-closing popunders, which are almost always just poor design, but you might break a lot of old websites if you block pop unders.

I wonder if a good middle ground (restricting this without breaking legacy sites) would be to add a permission for this. By default any target=_blank or similar opens in the same tab, but it shows a permission or the 'pop-up blocked' notification, which allows the user to open it in a new tab, and grant permission for the site to do that by default. As a user you can still ctrl/cmd-click to force links (which are proper href links) to open in a new tab.

> Because it's really hard to differentiate between legit popups (that the user wants) and popups that are unwanted.

It really isn't -- does it exist? Yes? Then it's unwanted.

For the few misguided sites that use a pop-up as a ui element, the yellow '<site> has attempted to pop up a window' is sufficient.

There are zero cases where I'd be happier with a site opening a pop up window on my behalf, than doing it's thing in the same page.

They don't have to do that, and as another commerce mentions, often achieve this with otherwise perfectly acceptable api's - they make the link open a new tab, and then change the original site's content to an Ad.

Disallow opening new tabs. There are zero cases where I want a site to do that.

Really? I use Firefox with UBlock Origin and never see pop-unders. The only time I see them is when I use Chrome.

You have it for Chrome as well - https://chrome.google.com/webstore/detail/ublock-origin/cjpa...

I never, ever want a pop-up. Let me block them all by default.

I have hard time imaginig a popup that the user wants.

Never clicked the "pop-out" button in Gmail or Hangouts?

I find with things like this that it's a million times easier to have the feature turned off by default, and then whitelist your own specific use cases.

Thats what Ive done with Javascript on the web. My browsing experience is so much better without downloading 20mb of ad network code on every page load, that I could never go back even with the minor annoyance of having to click "allow javascript on this site" every now and then.

No. What does it do?

Moves your chat or compose box into a new window. Useful for some people's workflows, less useful for others. I sometimes pop out a Hangouts chat so I can pin it somewhere I can see it while doing something else.

For that matter, the browser should not be in charge either but the desktop environment. Mine (gnome) happens to not allow focus stealing, so every popup is a pop under and should be blocked by the browser.

Pop-unders are extremely annoying, not only do they slow the browser but they are always filled with malware. Good move by google.

I didn't know these had become a thing, due to my use of ad blocking.

Thanks, ad blocking.

this is not because google is your friend, this is because they want you to have less reason to use adblock.

But in this case I align with their decision. I don't mind websites that have advertisements as long as they aren't intrusive, and my privacy is maintained. If those demands were met on all of the sites I frequent I would uninstall my ad-blocker

>I don't mind websites that have advertisements as long as they aren't intrusive, and my privacy is maintained

It would be a cold day in hell if google stopped tracking people.

Agreed, Google is unlikely to stop trying to track it's users; it's too profitable.

On the other hand, privacy is more about choosing what you share than not sharing things, and imo Google does an okay job at letting users control what they share; better than most companies operating at that scale. And while their privacy controls are not very fine grained, there seems to be an emphasis on making sure even non-technical users understand what is being shared and why.

FWIW, https://myaccount.google.com/activitycontrols to control what data they'd use and how it's used, and http://history.google.com lists the data they've collected. You can delete some or all from there.

I highly doubt it and derived data are actually deleted, it merely stops you from being able to view it.

That's a pretty serious claim. Do you have anything other than scepticism behind it?

[Disclaimer: I work at Google. Every team I've interacted with takes this very seriously]

Agreed, and I don't want them to quit using my data altogether. A lot of their best products are powered by my data (search, inbox, assistant)

In this instance it's a great step in the right direction. On the other hand Google uses the "do as I say not as I do" model when it's convenient for them to do so.

Full page ad interstitials on mobile will get you banned from AdSense, but Google also offer their own full page ad interstitials on mobile within AdSense. So long as it's them disrupting the UX its fine.

Not advocating for ads just notice the discrepancies in policy.

The enemy of my enemy is my friend. I appreciate the fact that because of Google's action other sites will stop using this dark pattern. Won't stop me from blocking ads though - Google is still Google after all.

It will still be nice even if you don't block ads though - I'm tired of all this garbage with I go onto someone's machine without an ad blocker, so anything they can do to make ads bearable is a huge plus even if they keep the tracking.

Wow, do you mean that for profit companies base their decisions on profit and not on niceness ?

I'd love to have less reason to use adblock.

Ok?

I'm surprised they didn't ban them already. I mean, Google Adsense already had rules about not being able to use too many ads on one page, or about displaying them next to ads from other providers.

Honestly though, I'm quite happy they're doing this. Yeah some people may say its anti competitive or what not, but the type of ads many sites run are ridiculous. Sometimes even your basic news site or forum is literally packed with ads from top to bottom, with everything from overlays to transitions and pop ups/pop unders and auto playing video going on at once.

If this sort of thing discourages that, it'll make the internet a hundred times more tolerable for everyone (especially those unfortunate souls who can't use Adblock for whatever reason).

That's a great step. I can think of a few more steps they could take, such as removing ads from fake news sites.

Of course that gets into difficult judgement calls, whereas this pop-under case is pretty clear cut.

It makes sense if they want to move slowly and deliberately, but I hope they won't stop here.

Any particular fake news sites you had in mind?

Stuff like outbrain.com, scribol.com, travelwhip.com, and their ilk. Obviously these are not strictly "news" but you get the idea. I think of them as sites that will do almost anything to increase clicks, ad impressions, and affiliate revenues, including presenting severely compromised content.

My father encountered a clickbait site a few weeks ago that would spawn pop-unders playing continuous video ads, muted, which closed as soon as they were focused.

It was bizarre. My only guess was that the site was trying to scam advertisers by "showing" lots of ads to users, without the users actually seeing/hearing them and getting annoyed.

Are these honestly more annoying than YouTube ads?

Or fix Chrome that allows this kind of abuse? Google doesn't give a shit about protecting users.

> Google doesn't give a shit about protecting users.

> Article about Google protecting users.

I developed malware that injects spammy ads into people's browsers.

Google banned my site from their index! Antitrust regulators need to look into this because it costed me my business and my employees! </sarcasm>

This is why US antitrust law focuses on harm to consumers, not companies. I don't see much harm to consumers if Google refuses to do business with websites that annoy consumers. Google already has a lot of rules that websites have to follow in order to be eligible for AdSense.

Okay, I'll bite. Why? Why do you think this merits such an investigation?

I don't know if that's true that it's an abuse of their position. Here's the paragraph from their policies:

> Sites showing Google ads should be easy for users to navigate. Sites may not change user preferences, redirect users to unwanted websites, initiate downloads, include malware or contain pop-ups or pop-unders that interfere with site navigation.

That all seems reasonable to me. They don't want to be associated with garbage websites.

> or contain pop-ups or pop-unders that interfere with site navigation.

Then..

Google on "AdSense Page-level ads"

> We don't count them as "advertisements" when evaluating your site for compliance with our valuable inventory policy. https://support.google.com/adsense/answer/6245304?hl=en

Yes, these ads are not ads compared to other ads: we profit from these.

And my personal opinion is that this kind of thing is exactly what G should be doing with their market position.

No consumer, anywhere, in the history of ever, has wanted things to pop under their browser window stealthily. As such, G abusing their position to hurt companies that do it is a good thing. Those companies should be hurt, and preferably die a terrible, terrible death.

If and when G uses their market dominant position to do something which hurts consumers, then things should be investigated. But an action like this, which has no negative consequences for users, should be applauded.

Google AdSense already has a bunch of requirements in place for sites that want to run their ads -- content restrictions, restrictions on traffic sources, limits on the number of ad units on the page (including ads from other networks), etc. Many of these restrictions are in place because Google's advertisers won't want to run their ads on pages that don't meet those requirements, and Google's new limitations on popunder ads probably fall into that category as well.