Pop-under windows are a popular alternative to their pop-up precursors in the advertising industry, officially because the former pretend to be less intrusive than the latter, but more likely because pop-up blockers (such as Firefox's built-in) are not exceedingly effective against them.

NoScript users should not be overwhelmed by these annoyances, especially when they're delivered through external scripts provided by 3rd party advertising agencies, whose hosts are blocked by default.

However an increasing number of web sites, especially adult-oriented ones, uses Javascript code embedded in the page itself to produce pop-unders: therefore, if user is forced by other means to enable page Javascript (e.g. by requiring scripting to decode image URLs on the fly, like happens on imagefap.com), the pop-under will unavoidably succeed. Well, almost unavoidably.

For some time now NoScript has been providing a page-level script surrogate to kill imagefap.com's pop-unders. Actually, since most recent NoScript versions execute page-level script surrogates also on script-disabled pages, you could even use a surrogate to decode images, yet keeping Javascript disabled (such a feature this will probably included in next NoScript release).

However the just released NoScript enhances and generalizes the previously imagefap-specific surrogate, making it effective against much wider range of web sites: certainly all those hosting AWEmpire's ads, but potentially many many more.

The noscript.surrogate.popunder.sources about:config preference, listing the URL patterns where this surrogate applies, currently looks like this:

@*.imagefap.com *.moviefap.com imagefap.com moviefap.com *.grayvee.com grayvee.com *.empornium.us empornium.us

Theoretically you should add there the sites requiring Javascript and spawning pop-unders (are you sure they're worth your whitelist, though?)
However, since running this surrogate does not add more than one millisecond to your page loading and should not have any notable side effect, if you feel adventurous you can change the preference above into


meaning that all the HTTP unencrypted web sites will enjoy pop-under immunity. If you experience problems with this setting (especially links which don't react to your clicks even if Javascript is enabled) and they're fixed by restoring the default, or just find a web site where pop-unders survive, please let me know.


After quite extensive testing, this Anti-Pop-under surrogate seems unlikely to break anything. Therefore, NoScript turns it on by default for every HTTP unencrypted web site. If you want you can tweak it by editing either the noscript.popunder.source or the noscript.popunder.exceptions about:config preferences.

15 Responses to “NoScript against Pop-unders”

  1. #1 Jesse Ruderman says:

    Web browsers block pop-unders and pop-ups equally effectively. Pop-unders are just pop-ups followed by a call to re-focus the original window.

    Pop-unders are popular because users see them minutes or hours after triggering them, so they don't know which site to avoid clicking on.

  2. #2 Giorgio says:

    @Jesse Ruderman:

    Pop-unders are not blocked by browsers because they are usually spawned reacting to a click by the user (something you don't want to do with pop-ups because users would hate you even more). This is the discriminating criterion for browsers to recognize a "good" pop-up from a "bad" one, and pop-unders pass the acid test and therefore are not blocked.

  3. #3 hackademix.net » NoScript against Pop-unders says:

    [...] more: hackademix.net » NoScript against Pop-unders Posted in Pop | Tags: -under-windows, -up-blockers, -up-precursors, a-popular-alternative, [...]

  4. #4 Jesse Ruderman says:

    I'd use the terms "onload popup" and "onclick popup" where you use the terms "popup" and "popunder". "Popunder" usually means a popup that isn't given focus, and there isn't that strong a correlation between focus and triggering event.

    That said, thanks for fighting a very annoying form of advertising!

  5. #5 alanjstr says:

    1) How come I need to enable javascript for your domain and not just recaptcha?

    2) Fiddling about in about:config, especially for longer strings, can be a bit more challenging. Is it possible for NS to detect one of these onclick popunders and say "hey, I see that you clicked something and got a popunder. do you want me to block it from now on?" and add it to the list.

    3) Along those lines, I am trying to encourage less technically savvy people to use NoScript, but I want things to be easier for them to get pages to work without being frustrated and allowing globally.

  6. #6 Giorgio says:


    1. You need either to enable both or to disable both. Recaptcha does not like its parent page to have different permissions, not sure why. However I could probably write yet another script surrogate to work-around this :)
    2. Yes, that would be handy. Maybe when/if I package this as a first-class feature, rather than a script surrogate.
    3. I'm constantly trying to make their lives easier (e.g. Javascript links and combos emulation), but however allowing script globally, albeit not as safe as the default mode, still provides significant protection against stuff like XSS, cross-zone CSRF (via ABE) and clickjacking.
  7. #7 hackademix.net » NoScript against Pop-unders | Drakz Free Online Service says:

    [...] post: hackademix.net » NoScript against Pop-unders Share and [...]

  8. #8 another.noscript.user says:

    I take it @^http: currently has no value sense the protection is on by default? Or do I need to delete this string?

  9. #9 Giorgio says:


    You don't need to change anything: now noscript.surrogate.popunder.sources's default value is ^@http:, meaning that all URLs starting with http: matches.

  10. #10 NassimJD says:

    in reply to #9
    so if one would have the line

    @^http:*.imagefap.com *.moviefap.com imagefap.com moviefap.com *.grayvee.com grayvee.com *.empornium.us empornium.us

    in the about:config , would this be limiting popunders to only the listed sites.
    Q2: how can I allow all sites but some sites, sorta like a a whitelist?

  11. #11 Giorgio says:

    1. Yes
    2. Reset the noscript.surrogate.popunder.sources preference to its default value of ^http:, and put your "whitelisted" sites in noscript.surrogate.popunder.exceptions.

  12. #12 Handbasket says:

    I arrived at this page after my noscript updated, and it appears that I can ask a question here without registering, and it also appears that folks here know what they're talking about, so I'll ask:

    I can't use about.config in FF.

    I type it, and my browser is directed to here:

    Now, when I searched for days for a solution to the opendns thing, I found a hundred answers that said, "Simply type about.config, and change these particular settings."

    Now you can see why I am utterly stumped. The about.config that I am supposed to use to fix the problem IS the problem.

  13. #13 Psuedo Myht says:


    try about:config

    (note it is a colon and not a period) Good luck!

  14. #14 Handbasket says:

    Psuedo Myht

    I knew I asked at the right place. Thank you.

    Note: This is one of those times where it is shown that I am not really the sharpest tool in the shed, by a longshot.

    I've attempted to figure this out, on and off, for six months, and it never occurred to me that it was a colon, and not a dot.

  15. #15 The third Winston Smith says:

    Another problem to report Google "The Chinese don't ave to know about Tienanmen Sq. if we can sell them Light Bulbs, see it isn't evil at all"/DoubleClick team have succeeded in getting past you and ABP - blocking the 1-12 names (flagged as advertisers, and even marked) at the top of every search req. should be simple due to tone of bknd and note that these guys are first 'cuz they advertise How about an option to drop those entries out, along w/everything right of the results list as an option. Second Offender Award goes to Yahoo, paying a lot of freeware to commercialware guys to put a search bar in your browser if you don't catch the left-field request while concentrating on an install. Block any insert into the 'fox. spinning the MAC numbers on home firewalls supplied by fFIOS et. al. at the push of a browser button would be a fine system, including an auto-reset for incoming OP3 mail and BOINC charity work or any other requested input - along with determining what info each watcher steals the moment you visit an innocuous web site unless you are making a legit purchase could prove interesting, esp. now that Google can probably choose and financ w2ould be a lot of fun too. Time 6to add a few more teeth to the best info blocker in the world!
    Well, here comes a chopper, and I think I hear rats

Bad Behavior has blocked 725 access attempts in the last 7 days.