Pop-ups and pop-unders
Kills the hijack, keeps the login.
A MAIN-world guard wraps window.open and blocks the abusive pattern streaming and file-host sites rely on, while letting the pop-ups you actually asked for through. Blocked calls get a decoy window so the page does not keep retrying.
Real windows follow a real click.
An abusive pop-up fires without a genuine gesture, or from a cross-origin script reacting to a click on dead space. A legitimate one follows the button you pressed. The guard uses that difference, so the login window opens and the pop-under flood does not.
See the content-script model →Defused
- Cross-origin opens from clicking dead space
- Windows opened without a real gesture
- Pop-under floods and rapid re-opens
- Windows fired from inside a player iframe
Allowed
- OAuth and single sign-on windows
- Share sheets you clicked
- Genuine new tabs from real links
A decoy window, so the page gives up.
When a call is blocked, the guard hands back a harmless decoy window object. The page thinks it succeeded and stops hammering window.open, so you do not get a second wave a moment later.
Runs in the page
The guard installs at document_start in the MAIN world, so it wraps window.open before the site’s own scripts can call it.
Covers iframes
It applies inside nested frames and about:blank documents too, which is where player and file-host pop-unders usually fire from.
Never blocks you
Anything tied to a real click you made passes straight through, so sign-in and share flows keep working.
The other layers
All features →Get it
Runs on Chrome and Firefox.
One codebase, a browser-specific Manifest V3 build. Add it to your browser and browse like the ads were never there.
Get the occasional update.
One short email when there is something worth knowing: new blocking, notable fixes, and big releases. No spam, unsubscribe anytime.