Menu
1. What exactly is the security risk with popups?
The new browsers provide settings to block window popups (on blocking, sites with active popups display a message to user). What exactly is the security risk with popups? If allowing popups can execute something dangerous, then the main window can too. Is it not the case. I think I don't know about some special powers of window popups.
2. Any special features of popup windows?
Take for example the HDFC bank netbanking site. The entire netbanking session happens in a new window popup and a user neither manually edit the URL or paste the URL in the main browser window. it does not work. Is a popup window needed for this feature? Does it improve security? (Asking because everything that is there in this site revolves around security - so they must have done that for a reason too). Why otherwise they would implement the entire netbanking on a popup window?
3. Is it possible to override browser's popup blocking settings
Lastly, the HDFC site succcessfully displays popup window even when in the browser settings popups are blocked. So, how do they do it? Is that a browser hack?
To see this -
You can verify that even if popups are blocked/popup blocker is enabled in the browser settings, this site is able to display popups.
The answers to this question say that it is not possible to display popup windows if it has been blocked in browser settings.
Solved
Concluded with Pointy's solution and comments under that:
<a onclick="displayPopup();" href="#">
Click here for a popup - this will appear even if popups are blocked in browser settings.
</a>
Here is a fiddle demonstrating the same.
247
brows - er pop-up Is a type of browser window that opens without any user request. Browser pop-ups are often spawned by websites that use pop-up advertising. The pop-up is a displayed window that shows advertisements and can appear behind or in front of the main browser window.
Malware Pop-ups OnGuard Online.gov urges people not to purchase a security program that you might see in an offer that a pop-up window displays. The program that you purchase may be useless or it may contain malware. You should also be careful when you download software from sources you do not trust.
1. Showing a popup before the main page content loads: Regardless of the variation used, never show a popup before users can glean value from your website or application. This trend is highly intrusive because the users' task is interrupted before they even land on the page.
The "security" risks from popup windows are:
Popup windows are a notable "phishing" technique. Hostile sites can use popups to convince users that an important message from a trusted site has been delivered, and trick those people into clicking through to some malware URL (or perhaps even just the click itself might exploit a bug). Yes, the main page of the site could do that too, but a well-crafted popup can distract the user and may not be directly associated with the hostile main page.
Popups were exploited by many unsavory sites as a way to "trap" users and to essentially force ad impressions, etc. In this respect, the security aspect of the problem really is the security of the user's control over their own computer and their browsing desires.
Modern browsers will allow popups when they're launched from an event loop triggered by an explicit user action. Thus, it's perfectly OK (ignoring web design best practices) to open up something like a "Help" section for your website in a separate window if that happens when the user clicks a "Help Me!" button. Also, it's become quite common for sites to use in-page "pseudo windows" to jam content in front of hapless visitors, and browsers really can't do anything to stop that.
edit — as to your other points:
Why do sites put their "web applications" like banking into separate pop-up windows?
I think that most sites that use separate browser windows (banks, insurance companies, and other financial institutions seem to really love this) probably do it so that they can try to control the browser "surround" of their application. In particular, they seem to like the idea of getting rid of the "Back" button as a way to simplify their designs. A browser window is a browser window, however, and a window created with window.open() isn't really much different from any other browser window.
Can popup blocker settings be overridden?
No. That HDFC bank example is a good one. Their popup window comes up only when you click on the "Login" button. Because that "click" is an explicit user-initiated action (unlike, say, page load), the browser will allow a popup window. That'll be true for any site; the bank doesn't have to do anything special for that to work. You can generally do popups from "click" event handlers, but you cannot launch a popup from something like a state change handler from an XHR.
200
I believe the problem is that popups are often used for advertisements, and they annoy the user. You should avoid popups where you can, because of problems with popup blockers. Myself I have never heard of any actual security risk specifically related to popups
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
