In a move to fight spam and improve the health of the web, Firefox will hide those annoying notification popups by default starting next year, with the release of Firefox 72, in January 2020, ZDNet has learned from a Mozilla engineer.
The move comes after Mozilla ran an experiment back in April this year to see how users interacted with notifications, and also looked at different ways of blocking notifications from being too intrusive.
Usage stats showed that the vast majority (97%) of Firefox users dismissed notifications, or chose to block a website from showing notifications at all.
As a result, Mozilla engineers have decided to hide the notification popup that drops down from Firefox’s URL bar, starting with Firefox 72.
If a website shows a notification, the popup will be hidden by default, and an icon added to the URL bar instead. Firefox will then animate the icon using a wiggle effect to let the user know there’s a notification subscription popup available, but the popup won’t be displayed until the user clicks the icon. We’ve recorded a GIF of this new routine, here.
Firefox Nightly versions already come with this notification popup blocker active, but the stable Firefox branch is scheduled to get it next January.
The Notification API, and how it all went south
Notification popups were added to modern browsers in Chrome 22 (September 2012) and Firefox 22 (June 2013), with the addition of the Notifications API.
Their initial purpose was to allow websites to display notifications, and alert users of new content, after users closed a website’s tab.
For example, you subscribed to Slack notifications, have a conversation, and close the Slack browser tab. The Notifications API allowed websites to show a popup when you received a new message, or there was new content available in your (now-closed) Slack tab.
News sites, such as ZDNet, also use notifications to alert users when new articles are out. Social networks and instant messaging clients use it to show alerts for trending topics or new messages.
The feature has its use cases, and can be extremely useful, but only when used by legitimate organizations.
Fraudsters and spammers love notifications
But over the past few years, unscrupulous groups have realized that the Notifications API provides an ideal method of pushing spam to users, even after users left the malicious site.
Cybercrime groups have been luring users on random sites, and showing notification popups. If users accidentally clicked on the wrong button and subscribed to one of these shady sites, then they’d be pestered with all sorts of nasty popups.
Malicious threat actors have been seen using notifications (also known as subscription spam) to push links to shady products, links to malware downloads, or run-of-the-mill pill or Viagra spam [1, 2].
“Notification spam is quite common, especially via certain types of publishers and malvertising in general,” Jérôme Segura, malware analyst at Malwarebytes, told ZDNet in an interview today.
“Since most browsers can block ad popups or popunders, push notifications have been greatly abused,” Segura added. “In fact, I even question the merits of such a ‘feature’ in the first place or at least some serious oversight in how it could be implemented.
“Years ago, people would come to you about annoying ad notifications popping up on their machine, and that was usually due to adware programs [installed locally]. But these days, I would say this has been largely replaced by notification spam, which is very easy to fall for with some basic social engineering,” he added.
“In comparison to cleaning up an infected machine, it’s actually much easier to remove already allowed notifications, but most people just don’t know how,” Segura said.
And browser makers, too, have realized that the feature can be quite annoying, and downright dangerous. In recent years, most browsers have added settings to block websites from showing notifications.
However, Mozilla is the first browser vendor to block notification popups by default.
“I think Mozilla’s decision is good for the health of the web,” Segura told ZDNet.
You can unsubscribe from receiving notifications from sites via any browser’s settings section. Most browsers support a search feature in the settings section. Users can use it to search for the “notifications” options and block or unsubscribe from the shady sites.