Skip Navigation

Popup blockers… foiled

Watching a little of the ol’ Strong Bad Email today I noticed something a little wacky… a popup. Nothing particularly insidious, mind, just a popup. Hey, aren’t we supposed to have popup blockers these days?

Homestar’s cheerful visage taunts me from his popup window

Well yeah, we do; in most browsers, too. Even the mostly–prehistoric Internet Explorer 6 for Windows has gained popup blocking as of XP Service Pack 2, but this was different; this popup wasn’t spawned by any of the conventional methods we’ve learned to detect and block, this was born of Flash. The ActionScript embedded in the Flash movie, innocent as it was, had absolutely no trouble bypassing the blockers because —guess what— unlike all those handy dandy JavaScript popups infesting the web, the browser can’t read the ActionScript. It’s all neatly packaged in an almost entirely opaque file format!

And while it’s true that it’s not impossible to reverse engineer a swf file, muck about for a potentially offensive piece of ActionScript, then block the script, I think everyone can agree that it’s hardly worth the browser developers’ time and effort to chase a moving target like that… yet. I also think you can tell what we’re dealing with here, and why I’m so concerned.

If the asshats of the web (you know, those people that employ pop–up and pop–under advertising as a means to really shove their marketing message in your face… the “legitimate spammers”) figure out that Macromedia Flash has a market–saturating 98% browser penetration and (with very, very little effort) gives them back their precious popups whilst stripping their on–page code from a multi–kilobyte chunk of JavaScript to this:

<object type="application/x-shockwave-flash" data="popit.swf" width="1" height="1">
<param name="popit" value="popit.swf" />

We could be in some serious shit.