Hacker News new | past | comments | ask | show | jobs | submit login

Why would anyone ever want a pop-under for any reason? I would be satisfied with a solution that turned any pop-under into a pop-up.



That's actually an interesting point. I wonder how many sites would be broken by disabling methods that shift window focus, like Window.focus() and Window.blur()? Probably not many...


Every bank website I've used so far does forced pop ups, as well as websites that want you to authenticate yourself using some other service (such as Google, or Facebook.)


Pop ups are reasonable. The pop unders are what google is saying are user unfriendly.


They might be, but the person I was replying to wanted to disable all methods that shift window focus. It won't work, at least as of right now.


When a window is created (with Window.open, or from a link with target="_blank"), it implicitly gets focus. That part wouldn't change.


> Every bank website I've used so far does forced pop ups

But why do they do this? I have yet to have someone give me a good explanation.


It's done to escape from iFrame jail attempts. Rogue site loads bank site in iFrame, end user types in their password...


Browsers are not supposed to let javascript access the DOM or events in a cross-___domain iframe, is that not correct?


Correct, but it's still possible for the parent page to overlay invisible textboxes and buttons in order to capture input.


Wow, what a tire fire the web has turned out to be.

Can we just throw the whole thing out and start over? I miss the 90s...


Why not implement a good 2FA then to avoid the problem entirely? The way I see it if someone can steal your bank login details using iframes as a weapon then the bank is doing something wrong. Banning pop-ups entirely would force the banks to shape up


Isn't it easier to set X-Frame-Options to deny or sameorigin?


Yes, absolutely. But that didn't work on some older browsers (like MSIE7 and earlier), so some sites settled on weird "solutions" like this one...


No idea. It just gets caught by the pop-up blocker for me. I end up just copy-pasting the URL over into a new tab, somehow.


When it comes to web software at banks, there's rarely a good reason "why". They build some of the worst garbage you can find.


A lot of times you see self-closing popunders, which are almost always just poor design, but you might break a lot of old websites if you block pop unders.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: