The Slack notification pinged at 11:47 PM.
Jenna rubbed her eyes. She was the sole keeper of “Hermes,” Safari’s content-blocking engine. For three years, it had been flawless. But tonight, the web had learned a new trick. pop up blocker apple mac
She spent the next two hours building an exception—a trusted origin list for authentication providers. It felt like a treaty. A necessary compromise. By 9:00 AM, the build was green. She wrote the commit message: Gatekeeper v2: Implements time-decaying user activation tokens. Blocks synthetic gesture chains. Preserves OAuth flow via trusted origin allowlist. Closes #9074 (the pop-under casino apocalypse). She closed her laptop. The Slack notification pinged at 11:47 PM
She opened her MacBook Pro. The screen glowed. On her external monitor, a test VM of macOS was running. It looked like a seizure. For three years, it had been flawless
But for now, on this Mac, the pop-ups stayed dead.
By 4:00 AM, she had the prototype. She called it .
At 2:15 AM, she found the exploit. A JavaScript function called bypassBlocker() buried in a supply-side ad kit. It worked by creating a null event loop —a split-second gap where the browser thought the user’s interaction was still in progress, even after the user had moved on.