Re: Pop ups

> 
> 1) I can't think about an instance (I'm sure someone else will correct 
> me) where pure HTML will cause a new window to open without user 

Even with user intervention, it is still an unexpected change in context,
as it leaves the old window around and the back button will not restore
the original situation.

> intervention.  The HTML "target" attribute of the anchor tag can be used 
 
> If, however, we call a target of, say, _new, then we get a new window - 
> or tab if we're using Firefox and have configured it accordingly...

Any target name that is not currently in scope will generate a popup.
_new guarantees one; non-frame target names that are in scope typically
cause pop-unders, which is probably use than a popup.

> * window.open may be called indirectly from a subroutine in an external 

If I remember correctly, window is just a property of the document
object, so could be copied to a local variable...

> JavaScript file - in the HTML source we may only see a call to 
> subroutine baz() which is external and not visible in the source of this 
> document.
> 
> If one was really sneaky, one could build a window.open command out of 

And there is probably a sufficient demand for popups in certain quarters
that, if static analysis were used against them such techniques are would
be used (obfuscation techniques are heavily used by spammers and people
have used tricks to defeat automated checks for over-quoting on USENET).

I assume current popup blockers detect the dynamic use of the constructs,
not the potential use.

> unrecognisable fragments of code, then run it using eval().  (If I 
> remember my JS correctly.)

You can compose and run ECMAScript without using eval.  It's underused
but has legitimate uses, but I won't help obfuscators here.

> 
> 3) Flash can open new windows too; I can't comment on it further as I've 
> never tried to examine Flash source and run a Flash blocking tool on my 
> browser.
> 
> 4) Anyone know if a Java applet can open windows from the parent document?
> 
> So - trying to find if a popup is going to occur is possible, just very, 
> very, tricky.  To do so would involve working ones way not only through 

I don't think it is, in general, possible. Typical HTML scripting is,
I think Turing complete, so the problem is equivalent the halting 
problem, for which no finite algorithm exists.

Received on Thursday, 31 March 2005 19:34:16 UTC