Web Site "Lock-In"

Danborg writes "There's a great article over at ZDNet about annoying web sites that lock surfers inside a web site once they arrive. This practice, started by porno site operators, appears to have gone mainstream. Formerly respectable corporate sites like Home Depot now lock you in, disabling the use of the "Back" button. Fortunately, Top9.Com has generated a list of the offending sites. Is it a legitimate marketing technique? Or a highly annoying example of poor web site design?" I run into this dozens of times a day while reading story submissions. It never ceases to amaze me (but then again, old versions of Slashdot did the same thing, so who am I to judge?)

Javascript

[Eponymous,+Showered]

Since all this whack-a-mole stuff is javascript-based, it would cool to have a feature to disable javascript by URL/domain. In fact didn't I hear that Mozilla may have that feature?

Re:Javascript

[Jaborandy]

You may be dismayed to learn that this is a feature of Internet Explorer. With Security Zones, you can set any url or domain to be in a particular zone, and have javascript either on or off in that zone. I use this method to tame cookies. My "trusted" zone is set to be much like medium-high security, except I get to approve all cookie dropping. Other zones do not even prompt me, they are just denied. When I see a legitimate use for a cookie, I "trust" that site to prompt me. The configurability of this system lets you do a lot to make your system more secure than the default.

--Sandy

Re:Javascript

[Eponymous,+Showered]

Folks, none of the sites on Top9 were Javascript whack-a-mole stuff like the header of this article implies. They're all just pages that use a 0 second redirect. I've even had to do this on sites I've built - not for the effect of locking people in, but to jump database instances in the case of the Oracle Application Server (web server). Now, these other sites may have an ulterior motive, but a 0 second refresh is much lesss onerous, IMO, than javascript popup hell.

Re:Javascript

[Cramer]

First off, Top9 is smoking weed if they think a lazy redirect is "capturing" a browser. They have obviously never gone to a porno website and seen what "capture" really is. (Note: disable everything before going on a porno walk-about.)

Personally, I find all the lame-ass javascript and meta-refresh redirects a serious pain in the ass. It's ranked just below setting the expiration tags on pages to before you download the page. And a recent addition (landing at number three) is the "neat trick" some assholes put in their page(s) to resize the browser to the size of your screen. (This little "feature" has forced me to make fvwm an absolute nazi.)

Re:Javascript

[DHartung]

In fact, Microsoft offers a freebie add-on called IE5 PowerTweaks. Among other things, the handful of tools includes menu items (on the Tools menu) called "Add to Restricted Zone" and "Add to Trusted Zone". This lets you manage your cookie-and-javascript-enabled sites without messing around in the "Security" dialog box for five minutes.
----

Re:Javascript

[mitheral]

The following code in junkbuster/proxomitron will remove the right mouse click disable "feature"

Name = "Allow Right Click"
Active = TRUE
Bounds = "<script*</script>"
Limit = 256
Match = "*document.onmousedown=*"

Something I find very handy as lots of sites have picked this annoy habit up. I notice because I have no standard tool bar showing on IE; I use right mouse clicks to move back/forward

lock-in unofficial workaround

[banky]

(Unix/Mac) Click and hold the back button until the list of previously visited urls appears. Select one.
(IE/Win32)RIght click to select previously visited URLS.

If you don't know this, its time to give up and become a Luddite.

Seriously, though, I was so glad when Mozilla added this, as I almost can't live without it, to deal with "lock-in".

Locking in

[Todd+Knarr]

Well, I wouldn't prevent them from trying. But then, their tricks only disable the Back button, not the history list, so I just pull that down and leave the site and never come back. Rule #1 these guys need to learn: make it difficult for the customer to do what he wants, even if that's to leave, and you will lose that customer and 10 others. Marketing 101.

Just Poor Foresight

[Whyte+Wolf]

After all, who's going to continue to frequent a sight that continually spawns browser windows after you've exited. What's irritating in porn sights, might very well sink a business as it drives customers (especially non-technical end users) away.

Hell, I've had several of these types of sites cause fatal errors in my browser and crash it. Not a smar idea if you want me to buy your products or services (or whatever)

The heart of the problem, IMHO, though is that far too many business look to the corporate website as a gimick and not a true marketing tool. I've had this fight myself--and after I left my last position, the company butchered the website I'd spent 3 months coding.

Ah well, as with all things, the proof is in the pudding (not to mention the HTML)

"Reboot the browser"?

[NME]

Don't forget to powercycle the mail client.

-nme!

Where's the porn button?!

[TheDullBlade]

I remember hearing some (MS I think) browser developer saying how they wanted to make a main-bar button that would toggle javascript, so you can stop a flood of popups fairly easily.

It got dubbed the "porn button" and was, unfortunately, never included.

Re:Where's the porn button?!

[DHartung]

One of the "Powertools" for MSIE includes a feature which adds two items to your "Tools" menu: "Add to Trusted Zone" and "Add to Restricted Zone". These items, when clicked, will automatically add the domain of the site you are currently viewing to the specified security zone. This should work just as effectively as the button you mention, since you can instantly add a site to the restritcted zone. Actually this would be better than a "toggle" button, because it will remember the site in the future.

It's called IE5 PowerTweaks. If you turn off Active Scripts for the Internet Zone, you can then go to a site and decide if you trust it to run Javascript or leave a cookie and pull down your menu. Boom! Instant Javascript.
----

Redirecting forms

[11223]

Part of the problem is web-sites that use a 0-second refresh. For instance, go to this microsoft site and then try to hit the back button - it won't let you out! So Microsoft.com should also be on that list.

The reason? People are too lazy to return a 302 Moved (like Google does for the I'm Feeling Lucky button) and instead use a meta refresh. Well, it's wrong!

Browser writers (and Mozilla team): Could you let the back button disable the meta-refresh if you accidentaly back onto a meta-refresh page?

Use window.location.replace('newlocal.html');

[cvd6262]

What urks me is that there are a lot of newer web designers who don't know how to correctly use javascript to forward the user to a new location. If they just say: window.location = 'newpage.html'; then when the user hits 'back' it will rerun the script and transfer them again.

The correct way is: window.location.replace('newpage.html');. This replace the old page with the new in the browsers history.

Joke time..

[Bowie+J.+Poag]

Ever been inside a Home Depot? Its pretty much the same story.. You cant find your way out there either. :)



Bowie J. Poag

Re:Joke time..

[drix]

Seriously! It's the closest thing to a casino I know of - no doors or easily accessible exits, no clocks or windows to tell time, open 24 hours a day to entice you.

--

Lock is despicable

[Chairboy]

"Poor web design"? That's like calling a burglar someone guilty of "poor money collection strategy".

Websitest that lock you in are more annoying then spam, and a pox on the face of computing.

The problem is, of course, due to marketers. It's true, these websites are obviously designed by a committee of marketers who spend days sitting around tables (or, these days, golf courses) trying to 'brainstorm' or 'strategize' ways of 'grabbing eyeballs'.

For a marketer, heaven is having a consumer strapped into a chair with his eyes held open ala A Clockwork Orange and being forced to watch commercials. In TV, they use everything from loudness to humor to try and grab those eyeballs.

So imagine, if you will, what happens when these people get access to an interactive medium like the Internet. There isn't a volume knob on websites, and most commercial humor requires reading abillities and patience, something hard to rely on in this 5 second attentionspan culture, so instead they do the equivalent of tying you into the chair and forcing you to 'experience' their website.

It's only a matter of time before this practice is identified as the embodiment of impoliteness it is, so it should disapear sooner or later.

Unfortunately, that means that the wheels will start turning, more of these marketing folks will start flapping their membranous wings again, and the next generation in captive consumers will get to experience their next excreted nugget of marketing 'saavy'.

Some of these lock-ins may be unintentional

[Kiwi]

Something to keep in mind is that sometimes these lock-ins are unintentional. For example, people may, to make web site updating easier, place all of the web documents in a sub directory, and have the front page be a redirecton to the actual front page of their web site.

Clumsy designs may have multiple redirects, the same way clumsy UNIX sysadmins may sometimes have a chain of symbolic links eventually pointing to a file.

The real solution is the reponsibility of the web browser designers--pages that have refresh meta tags should not be part of the browser's history, unless user-enabled.

I am not going to get in to the javascript games, since I, for security reasons, have Javascript siabled on my browser. Don't get me started on pages that need Javascript enabled to be browsed.

- Sam

Crap technology, too

[tacticalsyntax]

Oh yeah, I forgot to mention that a lot of this comes from the shitty technology behind these sites. Like BroadVision at Home Depot. To do supah-1337 1-t0-1 marketing you have to use their fat-as-hell URLs and redirect the user all over the place. So another reason to ditch HTTP: URLs are foolish things to use as objects.

+---+

Totally different issues...

[artdodge]

This practice, started by porno site operators

Ballocks. The problem here isn't web sites trying to "lock you in" - it's crappy web designers showing poor engineering skills and lack of knowledge of their tools. Specifically, lots of these sites (homedepot is a prime example) use the nefarious META http-equiv="refresh" kludge instead of sending proper 302/303/etc redirection responses. They're using an HTML-level mechanism to perform an HTTP-level function. Nothing more, nothing less.

If they wanted to lock you in, I would wager they could actually disable the Back button with JavaScript (I think some on-line banks do this so they can keep you from going "back" to a page providing info that you just invalidated by performing some transaction).

I hate META http-equiv.

A Mozilla solution?

[ajs]

Perhaps the right solution is to have Mozilla not fall for it. For example, one way that I know of that people do this is to have /index.html be a blank page with a META REFRESH or REDIRECT tag pointing to the real homepage. Why not have Mozilla detect the combination of "back" and META REFRESH or REDIRECT and simply not obey the tag?

The other solution would be to take pages out of the history list when they contain a META REDIRECT REFRESH. That would also cause the back button to work as expected, perhap arguably more like expected.

Do either of these solutions break any reasonable practices?

Netscape 3 workaround

[hawk]

>Shouldn't this be: (IE/Win32)keep pushing back,
>you don't deserver better? :)

I initially was moderating this as funny, then I realized that this was already implemented in Netscape 3, and is part of the reason I still use it.

In the Mac & Unix versions, alt- moves you through the history--alt-2 goes to the prior page, alt-9 goes back 8 pages, etc. And if you've only gone back, alt-1 takes you as far as you go.

For some reason, this wasn't in the darkside version, and has been removed from later versions of netscape.

[the other reason is the window-by-window setting of autoload images, rather than as a universial preference]

hawk

Re:Lazy developers and dumb HTTP

[artdodge]

they have to work around the miserable way that HTTP handles state.

Not the problem at all. You can handle state in at least two ways in HTTP (there are others, but some of them are patented :-P), neither of which necessitate the shoddy practices seen on theses sites.

• Cookies (example: yahoo)
• Use proper redirection (302 Found or similar) to a URL embedding a session ID (example: amazon) instead of the claptrap HTTP-equiv refresh crap these sites use.

What kind of statefulness do you have in mind that Cookies don't deliver? (BTW: you might want to look at the most recent IETF drafts; Set-Cookie2 et al are much more mature than Netscape's hack.)

The real-world equivalent

[jayhawk88]

Me: Hello, I'm looking for RedHat Linux for Commodore64, do you have that in stock?
Salesperson: No, but we do have the all-new WindowsYou 2000 v5.0 for Watches! Why don't you let me show that to you?
Me: Umm, no thanks, I think I'll just go look elsewhere.....Umm, excuse me again...
Salesperson: Yes? What is it?
Me: Umm, this door appears to be locked.
Salesperson: Oh, is that so? How odd. Perhaps you'd like to check out the latest release MacOS AquaTealMarine for CoffeePots, now with even more backgrounds!
Me: No, I'd like to leave the store. This door that I justed entered through is now locked.
Salesperson: Well, if you feel you really have to leave, you can climb that ladder into the rafters, walk across that I-beam to the far side of the store, and shimmy down the drainage pipe. But then you'd be missing our sale on OS/4 Impulse for Dishwashers...

I think it's clear that trapping sites are my biggest internet pet-peeve today. This is another reason why all marketing people should never be exposed to any new technology. Ever.

Home Depot's Offical Response

[geek2b]

Thank you for contacting homedepot.com! Our Internet team recently received a copy of the e-mail you submitted through our Web site. We would like to thank you for contacting us at homedepot.com and sincerely apologize for any inconvenience you may have experienced while using our Web site. Rest assured, we do not want to limit your access to the Internet from our site. Because the actual Web address for our home page is quite long and complicated (you can see it in the address field of your browser once you are on the page), we have simplified our Web address to www.homedepot.com to make it easier for our customers to remember and access. When you enter our address in your browser, we convert the simple Web address to the real Web page address. For that reason, the "back" button may not work in some browsers. Our technical experts are working to find a way to eliminate this process.

Re:Home Depot's Offical Response

[MrJay]

Well, hitting the URL http://www.homedepot.com/ redirects you to the page index1.html. This page uses Javascript (uggh) to determine whether the user (ironically) has Javascript enabled in their browser:

//Proceed only if the browser supports JavaScript.
..

if ( browserSupp )
window.location = "/" + siteName + "/HDUS/EN_US/pg_start.jsp";
else
window.location = "noscript.html";

In pg_start.jsp, I can only speculate that a new session is created (the next URL has a session ID field) and various startup routines are executed.

When you arrive at the homepage, the URL contains something similar to this:

pg_diy.jsp?BV_SessionID=@@@@1850957283.0963009276@ @@@&BV_EngineID=cal ieli dldjbemfcfkmcficgkj.0">

Given this information, I can make the following statements:

• They are using Broadvision. Anyone who's used this horrible piece of proprietery crap knows how uncomfortable and cumbersome it is to work with.
• They are heavy on the Javascript. IIRC, Broadvision sends various Javascript functions to accomplish mostly what can be done without Javascript. An expert web designer can build a complex site without a heavy and almost necessary reliance on Javascript.
• HTTP and HTML should both be extinct. Perhaps this is why Home Depot opted for the expensive Broadvision. I bet they also paid through the nose for a BV tech to be on site. Yipee!!

In all seriousness, this sort of thing can be avoided with a proper design. And the sheer difficulty of the whole process is nil.

Becoming a Luddite

[dzurn]

I wanted to become a Luddite, but couldn't find the on-line registration form.

IKEA has been doing that for ages.

[morzel]

Same thing happens IRL in a number of stores, with IKEA being a prime example:
Once you get in, you can't possibly get out unless you walk through the *whole* store, through every possible department - preferrably with hordes of people blocking your way.

It's a tested idea, and it works wonders (in Ikea, anyway) for the sheople walking through.
Quite miraculous how I always seem to end up buying more stuff than I actually came for. :-)

Okay... I'll do the stupid things first, then you shy people follow.

Re:Apples and oranges

[Darchmare]

That's downright unethical. The last thing I want when I'm looking for porn is for some stupid video game site to pop up. :>

(yes, i'm kidding)

- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)

What is the big deal?!

[yomahz]

I went to the sites on the list that there was "no way" to get back to the previous site and I had almost no problem getting back in either Netscape or IE.

Both browsers have an option in the back button to skip several pages back.

- In IE, it's the little down arrow next to the button.

- In Netscape, you just hold down the button for a few seconds.

Is it annoying, YES but is it really that big of a deal?
--

A mind is a terrible thing to taste.

Unlawful Business Practice

[__aapbgd5977]

As of July 18, this is an unlawful business practice, according to Arizona Statute 13-2316. The newly enacted statute, available online as House Bill 2428 is quoted in relevant part below (new language in ALLCAPS).

(Note: The summaries say that this is a "Class 6 Felony". This is incorrect.)

13-2316. Computer tampering; venue; forfeiture; classification

A. A person WHO ACTS WITHOUT AUTHORITY OR WHO EXCEEDS AUTHORIZATION OF USE commits computer TAMPERING BY:

...

6. PREVENTING A COMPUTER USER FROM EXITING A SITE, COMPUTER SYSTEM OR NETWORK-CONNECTED LOCATION IN ORDER TO COMPEL THE USER'S COMPUTER TO CONTINUE COMMUNICATING WITH, CONNECTING TO OR DISPLAYING THE CONTENT OF THE SERVICE, SITE OR SYSTEM.

...

D. A VIOLATION OF SUBSECTION A, PARAGRAPH 6 OF THIS SECTION CONSTITUTES AN UNLAWFUL PRACTICE UNDER SECTION 44-1522 AND IS IN ADDITION TO ALL OTHER CAUSES OF ACTION, REMEDIES AND PENALTIES THAT ARE AVAILABLE TO THIS STATE. THE ATTORNEY GENERAL MAY INVESTIGATE AND TAKE APPROPRIATE ACTION PURSUANT TO TITLE 44, CHAPTER 10, ARTICLE 7.

Section 44-1522 is currently in effect, and reads in relevant part:

44-1522. Unlawful practices; intended interpretation of provisions

A. The act, use, or employment by any person of any deception, deceptive act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely upon such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise whether or not any person has in fact been misled, deceived, or damaged thereby, is declared to be an unlawful practice.

Yes, I work for the Arizona Attorney General, but I am not a spokesman for them. I am a lawyer, but this is not legal advice. Please consult your own attorney before taking any actions based upon information in this posting.
==
"This is the nineties. You don't just go around punching people. You have to say something cool first."

Re:Unlawful Business Practice

[josepha48]

I don't really think that this law applies here. I'm no lawyer, but here is why: you can still access other sites through your book marks so you are not really 'locked in'. They do not control your browser completely so you can still exit by typing in a URL in the location bar. Since both Netscape and IE browsers support searching through the location bar you can always exit one of these site.

While I do agree that this is bad practice on the site developers side, I do not think that it is against the law. Also how are you going to sue someone or take legal action if they are not in Arazona, or even the US? I imagine that since these sites have basically ben blacklisted on slashdot it is only a matter of time before most of them stop that practice anyway. I know that it is a cheezy way to keep visitors. Obviously if a site needs to do something like this then they have no content that will make people want to return.

send flames > /dev/null

Re:Damn these sites (or, my mouse has spoiled me)

[GigaGoogle]

I cross-referenced your post. Hope this helps!

I've got one of those Intellimouse Explorers (the huge silver ones with the superfluous tail light and like three extra buttons; well, what the hell, here's a http://www.microsoft.com/Mouse/explorer.htm link) and sites that won't let you back out are an incredible annoyance. See, two of the buttons on there serve as Forward/Back (respectively) while browsing the web, and after about 20 minutes of using them, I was hooked. You wouldn't believe how simple (and remarkably intuitive) to navigate with your thumb. Now if I could just find a good use for those buttons in Half-Life... I mean, sure, it's easy enough to hold down the back button and select the page before the offending site, but that would require moving my cursor over six or so linear inches of desktop space. Isn't that just a little bit unreasonable? No? Ah well.

Ask Dr. Jakob Nielsen

[Inoshiro]

He'll tell you that this is the #1 mistake in the top-ten list of mistakes done by webpages. And I agree. Linking to the outside world, and letting other people back out of your site shouldn't affect it. How else could Yahoo!(tm)(r)(c) become so popular, eh? They certainly don't have a lack of people browsing their site.

The back button is the most often used widget in the browser. If a user hits a site they don't want to see, or make a mistake -- boom, off they go. Locking them in to a site once they get in agrivates them (it sure pisses me off).

My suggestion: turn off Javascript in any browser which allows you to (except Netscape, because that kills CSS [why?]).

So what happens to sites which still do disable the back button, or otherwise lock you in? Well, I tend to just kill my browser process. It's simply easier than dealing with BS websites. Plus, I know to never go to that site again (it'd be nice if Mozilla had a dynamic blocklist which would mark down sites which do this, and block them).
---

Re:No different from "Go" menu -- but also there's

[Joe+Rumsey]

In Linux netscape, the middle button opens a link in a new window. In IE, shift-click does it. I open most things with the middle button when I know I'm going to want to come back to the original page. Back doesn't work very well on many pages if you've scrolled to somewhere in the middle (Slashdot stories are a prime example!)