The Hamburglar Chronicles

Just when you thought it was safe to aimlessly wander the web... I got a couple of emails from alert users who were assaulted by a new, more virulent type of popunder ad. Although PithHelmet let these ads through, this new mutant isn't all that clever.

After a couple of hours, I devised a pretty simple fix to the problem. Here's a breakdown of the problem and the solution.

Most popup blockers (including Safari's) work by intercepting new window requests and cancelling those that were not triggered by an actual user click in the browser. This is pretty effective. The new popunders work by exploiting the "onclick" event of standard links. Basically, you click a link that has a normal url specified, but in addition to your browser being directed to a potentially useful url, a little bit of javascript fires off and opens up a new window as well. Technically, you clicked, so the window open action is kosher by the browser standards.

So here's where it gets interesting. Usually, a link either executes some javascript, or it specifies a location for the browser directly. It's pretty rare that you would want to set both an onclick and an href. It's fairly common practice to set the location as "#" if you are using a javascript onclick event for something meaningful (this prevents potentially strange things from appearing in the browser's status bar).

So, I make an assumption - if you specify an onclick event and an href that is anything other than "#", I'll assume you are doing something shady. I'll kill the "onclick" event in that case, and set the title on the link to tell the user that PithHelmet has modified this link. It is possible that there are legitimate uses for this type of setting, so as with all things, you can turn it on/off for any site.

But wait, that was too easy. Indeed it was. Some sites are a little bit more clever - to the point of profound inconvenience. They set a timed javascript event to periodically check that their popunder links are still active, and if not, it rewrites them. This is merely an additional annoyance rather than anything truly clever. There are minimal uses for timed events (possibly GMail uses one to periodically check your mail, I'm just speculating here). So, what if we kill all the timed events? Sounds good. We'll actually catch some annoying "popover" ads too (two mangos with one stone as a good friend would say). More importantly, these cause Safari to absolutely chew CPU (70-90% CPU utilization in some cases) so killing them off gives you back your CPU as well (sounds more like three mangos actually) So, we kill timed events, rewrite the nefarious links and we are off to the races.

Now, where is all this good stuff? Well, it will be in the next release of PithHelmet. Now, when will that be? Hopefully soon.

PithHelmet takes a long time to modify these days. There are 6 translations now, and each time something involves a seemingly insignificant UI change, I have to do it in 6 languages. That's not even taking into account additional translation time, and the fact that all the translators are volunteers with busy schedules of their own.

Couldn't I release an English only edition more quickly? Sure. In fact, I might try that. Too bad I'm not fluent in a dozen languages...