Archive for January 6th, 2010

Pop-under windows are a popular alternative to their pop-up precursors in the advertising industry, officially because the former pretend to be less intrusive than the latter, but more likely because pop-up blockers (such as Firefox's built-in) are not exceedingly effective against them.

NoScript users should not be overwhelmed by these annoyances, especially when they're delivered through external scripts provided by 3rd party advertising agencies, whose hosts are blocked by default.

However an increasing number of web sites, especially adult-oriented ones, uses Javascript code embedded in the page itself to produce pop-unders: therefore, if user is forced by other means to enable page Javascript (e.g. by requiring scripting to decode image URLs on the fly, like happens on, the pop-under will unavoidably succeed. Well, almost unavoidably.

For some time now NoScript has been providing a page-level script surrogate to kill's pop-unders. Actually, since most recent NoScript versions execute page-level script surrogates also on script-disabled pages, you could even use a surrogate to decode images, yet keeping Javascript disabled (such a feature this will probably included in next NoScript release).

However the just released NoScript enhances and generalizes the previously imagefap-specific surrogate, making it effective against much wider range of web sites: certainly all those hosting AWEmpire's ads, but potentially many many more.

The noscript.surrogate.popunder.sources about:config preference, listing the URL patterns where this surrogate applies, currently looks like this:

@* * * *

Theoretically you should add there the sites requiring Javascript and spawning pop-unders (are you sure they're worth your whitelist, though?)
However, since running this surrogate does not add more than one millisecond to your page loading and should not have any notable side effect, if you feel adventurous you can change the preference above into


meaning that all the HTTP unencrypted web sites will enjoy pop-under immunity. If you experience problems with this setting (especially links which don't react to your clicks even if Javascript is enabled) and they're fixed by restoring the default, or just find a web site where pop-unders survive, please let me know.


After quite extensive testing, this Anti-Pop-under surrogate seems unlikely to break anything. Therefore, NoScript turns it on by default for every HTTP unencrypted web site. If you want you can tweak it by editing either the noscript.popunder.source or the noscript.popunder.exceptions about:config preferences.

Bad Behavior has blocked 1403 access attempts in the last 7 days.