A laptop displays a webpage covered up in pop-overs.🅭

The web is overrun by pop-ups and blockers haven’t worked in years

Virtually all web browsers have a built-in feature to suppress an annoyance from the early days of the web: pop-ups. However, the pop-up blockers of yesteryear no longer work on today’s web. There are pop-ups everywhere gating our entry into virtually all websites. What happened to the pop-up blocker?

To answer the leading question right away: nothing happened to the pop-up blocker. It still works mostly unchanged from how it worked over a decade ago. That’s also the problem; the pop-ups have changed but the pop-up blockers haven’t kept pace with the problem.

Just about every website you visit will display a pop-up for a time-limited coupon, email newsletter sign-up, customer support chat window, interstitial advertising, cookie disclaimer, or an intentionally confusing privacy-violation consent dialog. You’re lucky if the website only shows you one of these at the same time instead of all stacked on top of each other.

Modern pop-ups aren’t separate pop-up windows, though. They’re not opened through the — easily blocked — window.open() function in JavaScript. Traditional pop-up blockers work by imposing restrictions on how and when this function can be used.

The modern-day pop-overs covers up the page using a much more diverse and complex array of different layout and scripting functions. Instead, they’re overlays or pop-overs that are a part of the main website window you visit. It’s no longer enough to just impose restrictions on calls to a single function.

Interstitial dialogs blocking your view of a page is now the expectation when visiting a webpage. While these web pop-ups have become endemic, this isn’t an abuse of Web APIs: they’re all working as intended. It’s still an abuse of the time and attention of the web’s millions of end-users.

Pop-overs have their use, but it’s not in response to a pages being loaded. The timing is completely misaligned with people’s wants and needs. Who in their right mind decides “oh, I want to sign-up for this site’s newsletter!” before they’ve had a chance to browse or read a single article? Pop-overs still have their use, but only as contextual responses to user-initiated actions such as clicking or form submissions.

The most popular use for modal dialogs on the web today is the “consent dialog”. “We care about your privacy”, lie most websites in their visitors’ faces, “but we need you show you this confusing dialog for you to ‘consent’ to us violating it.” The dialogs are designed to make you blindly agree to blanket data-sharing agreements with advertisers, data-brokers, and other third-parties.

There’s no law anywhere that says websites must show their visitors these awful dialogs. The most popular of these pop-over “consent” dialogs have even been found to be unlawful.

The General Data Protection Regulation (GDPR) specifically requires that […] the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. Showing these dialogs when all you want to do is to read an article is unnecessarily disruptive.

The dialogs are intentially badly designed and their repetition make you numb to the dialog’s purpose and message. How many of these dreadful things do you see every month? The instinct is to either close the page or click the biggest and brightest button.

Keep in mind that the default under the GDPR and its sibling, the e-Privacy Directive, no consent to data-sharing and no persistent cookies. “Cookies” in this context means any means storing of persistent data or identifiers on the user’s device. It doesn’t literally only apply to the Cookie API. Ephemeral/session cookies in response to explicit actions, e.g. remembering the contents of your shopping cart or login, are allowed. You don’t need to opt-out, which is why websites are desperate to fool you into opting in. The GDPR makes this perfectly clear: Silence, pre-ticked boxes[,] or inactivity should not therefore constitute consent.

No harm will come to the end-user or their privacy from blocking cookie, consent, or email dialogs. To seal the deal, the GDPR specifically forbids “consent walls” — the denial of service to users who doesn’t agree to data sharing. No one wants them! They’re a plague ravaging the open web.

The technical challenge in blocking modern pop-ups is bigger than the pop-ups of the past decades. However, it’s long overdue that web browsers step up and act to protect their users’ interests. Pop-ups, pop-overs, interstitials, modal dialogs, whatever you want to call them! It’s time to ban them from the web again! At least immediately after a page load.