The Web Platform offers a great deal of power, and unfortunately evil websites go to great lengths to abuse it. One of the weakest (but simplest to implement) protections against such abuse is to block actions that were not preceded by a “User Gesture.” Such gestures (sometimes more precisely called User Activations) include a variety of simple actions, from clicking the mouse to typing a key; each interpreted as “The user tried to do something in this web content.”
A single user gesture can unlock any of a surprisingly wide array of privileged (“gated”) actions:
- Allow a popup window to open
- Allow an Application Protocol to be invoked
- Allow an OnBeforeUnload dialog box to show
- Allow the Vibration API to vibrate the device
- Allow script to take the window fullscreen
- Allow the page to prompt the user for a file to upload
- Impact the behavior of file downloads (e.g. prompting)
- …and many more…
So, when you see a site show a UI like this:
…chances are good that what they’re really trying to do is trick you into performing a gesture (mouse click) so they can perform a privileged action– in this case, open a popup ad in a new tab.
Some gestures are considered “consumable”, meaning that a single user action allows only one privileged action; subsequent privileged actions require another gesture. Web Developers do not have unlimited time to consume the action: In Chrome, when you click in a web page, the browser considers this “User Activation” valid for five seconds (as of Februrary 2019) before it expires. Here’s a simple test.