No more chromeless popup windows

Browser Makers Band Together Against Phishers: the makers of Firefox, Internet Explorer, Opera, and Konqueror have agreed to implement a common set of security features in their browsers. One feature is tinting the address bar green and displaying a padlock icon when you visit a site that has a “highly-assured” digital certificate. Visiting a suspicious site will instead turn the address bar red.

Similar features have already been implemented in several browsers, so that isn’t really anything new. However, a more interesting feature the browser makers have agreed on is preventing chromeless popup windows. Browsers will put an address bar in every browser window to prevent sites from mimicking system dialog boxes. Excellent.

I would also like to see some kind of warning or message displayed in windows opened by links with a target attribute. Maybe that would make some site owners think twice before forcing links to open in new windows, and help users keep track of which browser window is the original one.

Posted on November 26, 2005 in Browsers, Quicklinks

Comments

  1. i thought it was just annoying - i never really considered the security implications of chromless popups.

    nothing worse than a popup taking you to a site where the content spills out longer than the fixed size window with no scroll bars :sheesh:

  2. Chromeless popups should never have been allowed the begin with and I’m glad to see it finally being set right.

    Now I would really like to be able to disable target=”_new” entirely.

    Since I use Safari (true on any browser with tabs) I’ve gotten in the habit of just holding down command when clicking a link to avoid new windows, but that doesn’t solve the usability problem of a new window breaking the browse history. For that I’d need to drag every single link up to the address bar to open in the same tab and preserve my history. All that hassle for sites that for sites that want to be jerks and decide they want to break my back button!

    Oh and sites that resize my browser window! I’d love to stop that too.

  3. Nice to see browser makers working together for a change. :)

  4. November 26, 2005 by gerben

    Now I would really like to be able to disable target=”_new” entirely.

    …except when the page is in a frameset.

    Just a sidenote. It is sometimes nice to have a separate history. When for example you’ve just watched some slideshow with 30 images, you don’t want to click the back 30 times.

  5. Perhaps this is relevant, perhaps not, but I was trying to bring IMDB up today and the browser (FireFox WinXP) was spinning, stuck on a blank white page and the taskbar indicated the following:

    “loading servedby.advertising.com…”

    But the page stopped loading. When it did load, a chromeless ad appeared and then the browser crashed.

    I’d be thrilled if browser makers gave me absolute and complete control over things like browser resizing, new windows, browser history.

  6. This doesn’t solve the other problem, of course: that of floating adverts that look like dialog boxes which still trick some users into clicking them, no matter how much you train them to spot them.

    It’s a good start though.

  7. You can get out of a frameset with target=”top”, “new” is the only one that is used maliciously.

    As for the separate history, I agree it’s nice sometimes and open galleries in new tabs for just that reason, but I can opt into that whenever I want, and sites often open a gallery in a javascript popup anyway to control the size of the new window, but that small number of cases (which I can launch anytime I want anyway) doesn’t mean I shouldn’t have the choice not to have site owners muck with my history whenever they want.

  8. Firefox has had this ability for a very long time with the pref dom.disablewindowopen_feature.location. Change it to true and all windows will have a location bar. There’s also other similar prefs to control various popup window properties. Personally, however, I prefer to completely and unconditionally block all popup windows and have them open in the current tab instead.

  9. It is sometimes nice to have a separate history. When for example you’ve just watched some slideshow with 30 images, you don’t want to click the back 30 times.

    That’s why Opera has “Rewind” and “Forward” buttons.

    As for chromeless windows, Opera always (well, at least since v5.12, when I started using it) had the ability to display or hide adress bar by pressing .

    And since v8 shows a little stripe under title of the pop-up showing the origin of the window and if it is secure.

    For me, it would be nice to be able to turn off this “adress bar always visible in chromeless windows” feature. I really do not click on pop-ups. I mean, at all.

  10. I think the warning on links with target would only end up incriminating perfectly legitimate sites.

  11. This seems like a good step forward but I will reserve judgement until I see more on how its going to be implemented…

    As a side note, I noticed a few people mentioned having problems with ad sites. All you have to do to correct it is to identify those sites that are using less then honest methods and add:

    “127.0.0.1 [badadsite.com]”

    into your hosts file. I don’t have a problem with people making money via ads on their site but when their ads start hijacking my browser its time to take a stand.

  12. November 27, 2005 by Roger Johansson (Author comment)

    Wesley:

    I think the warning on links with target would only end up incriminating perfectly legitimate sites.

    Many legitimate sites open links in new windows, that is true. Doing so is still annoying, confusing, and generally bad usability and accessibility. I think it’s fair to warn users and at the very least give them a choice.

  13. Browsers will put an address bar in every browser window to prevent sites from mimicking system dialog boxes. Excellent.

    Cromeless windows should be killed and I agree that it’s good to have an address bar in every browser window on websites.

    But what about the increasing number of webapplications? Pop up windows are used a lot and an addressbar in these windows will actually be bad usability and take up unnessacery screen real estate.

    So my question is - will this only affect cromeless windows or will this affact windows in general. And could there be some “work-around” like users allowing this on certain site (like you can allow pop-ups on certain sites).

    Cheers, Niels…

  14. Though this agreement is surely a good move towards standardization, the colour choice for discriminating a trusted site (green) from a suspicious one (red) is at least questionable.
    Indeed, regarding colourblind people, and particularly for protanopians which are the majority of them, these colours are simply undistinguishable :-(
    A safer choice might have been, for instance, displaying the address in inverse video, or whatever.
    Hope this will change,
    JJS

  15. November 27, 2005 by Roger Johansson (Author comment)

    Hartvig: You definitely have a point, but I think it will be difficult to allow some applications to be chromeless without that feature being exploited. I think users allowing it by site could work, but I also think that developers of web applications need to accept that their applications are in the hands of the user and account for the possibility of window chrome.

    missito: I thought about that too. For the trusted sites browsers will also display a padlock icon, which should help. Not sure if there will be an icon or other means than just the colour for suspicious sites though. If not, that should definitely be taken into account since you should not rely on colour alone for important information.

  16. Would it be feasible for the mouse icon to give an idea of the type of link you’re about to open whilst you hover over the link?

    Perhaps this is already done in other browsers, and its probably be a simple thing for someone to write a Firefirx extension to do just that (have to admit I haven’t looked to see if one is already available).

    Or would this just add to the confusion to the average surfer?

  17. I have absolutely no trouble with window chrome, my only concern is the addressbar in all windows. But I guess that’s better than people being fraud :)

  18. November 27, 2005 by Masklinn

    Chromeless popups should never have been allowed the begin with and I’m glad to see it finally being set right.

    Now I would really like to be able to disable target=”_new” entirely.

    Well, in Firefox you can sort-of disable target=”_new” (have it merely open tabs instead of windows “out of the box”, and fully disable it with extensions such as TabMix Plus, ditto for window.open JS scripts)

    On top of that, Firefox Avanced Javascript Settings give you the ability to disable every Chrome modification of the browser window via Javascript (raise/hide windows, remove status, tool or address bars, …)

  19. Nice to hear this, although I find it mildly ironic that two of the Google adverts just above your post are for “Pop Up Windows” and “Unstoppable Popups” :0)

  20. Personally, I like having links open in new windows. I’d rather close a window than search in the back button menu for the page I started from. But generally I open links in new tabs now.

  21. As a developer of web applications, I am definitely against requiring an address bar in every window. It takes away extra screen space that could be used for custom controls. Requiring an address bar on every window would also give curious users more opportunity to change the url manually to get to places they’re only supposed to get to through clicking somewhere else.

    I think if it’s an option in the browser, that’s fine, but requiring it? No way. That takes away customizability. Especially for trusted sites.

  22. November 29, 2005 by Roger Johansson (Author comment)

    Rob: Changing the cursor is not a bad idea, but it would only provide feedback to those who use a mouse (or a trackpad or some other pointing device). The feedback should be device independent.

    Chris: Yup, the ads can be a bit ironic sometimes ;-).

    davyG: If you like new windows, you can choose to open links in new windows :-).

    Brandon: As long as there is no way for a site to remove the address bar without the user’s permission, I’m OK with it being an option.

  23. December 1, 2005 by Bob Joe

    what if you want to protect your pages web address so people can’t download the page? having an address bar would actually help people break site security!

  24. December 2, 2005 by Marc Luzietti

    I agree it’s a necessary security feature for the web, but with AJAX now enabling us to create web apps that mimic desktop apps, this will be a bit of a pain. I’d like to see chromelessness be available for intranets.

  25. June 1, 2006 by jn

    I think it is just nonsense…
    About the only place where u can find tricks, that require security percausions like desribed above are porn sites.
    It is generally known that to visit these sites is asking for browser hyjacks and other thash on ur windows.
    When u just avoid these sites, that give all the same content anyway, you have about no problems with chromeless popups, or pages that are opened in new windows.
    As a professional webdesigner, i start to get really tired of people that ask for the technically best and fastest websites, but at the same time make life for a webbuilder impossible, because they are afraid for what they don’t even know.
    It makes not any difference wether a window is opened chromeless or not.
    If u see a dialog window that shouldn’t be there, just close it using Alt+F4, in stead of clicking it.

Comments are disabled for this post (read why), but if you have spotted an error or have additional info that you think should be in this post, feel free to contact me.