Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Will Whack Website Bait-and-Switch Tactics (cnet.com)

Posted by msmash on from the fixing-things dept.

Starting next year, Google's Chrome browser will stamp out some shenanigans that send you to a website you didn't expect. From a report: You probably don't like it when you navigate to a particular web page and then your browser unexpectedly jumps to another page -- an action called a redirect and something the website publisher didn't even want to happen. With Chrome 64, in testing now and due to ship early next year, Chrome will block that kind of bait and switch, Google said. "We've found that this redirect often comes from third-party content embedded in the page, and the page author didn't intend the redirect to happen at all," Google product manager Ryan Schoen said in a blog post. Chrome 64 will block the redirect action and instead show an information bar telling you what happened. That's not all. Chrome 65, due a few weeks later, will squelch another unwelcome action that can happen when you click a link and the website opens in a new tab while switching the existing tab to a page you didn't request.

44 of 76 comments (clear)

  1. fix your ads by Anonymous Coward · · Score: 4, Insightful

    how about instead fix your fucking ads that are rife with this shit so it isn't necessary to have this kind of feature or better yet auto block ad providers.

    1. Re:fix your ads by sexconker · · Score: 2, Insightful

      Fuck that. Just block the ads. The internet is a cesspool, and I'm not talking about the smut.

    2. Re:fix your ads by desdinova+216 · · Score: 5, Funny

      incoming remark about hosts files in 3...2...1...

    3. Re:fix your ads by Cajun+Hell · · Score: 1

      I think I just figured out why Google is making this change to Chrome.

      --
      "Believe me!" -- Donald Trump
    4. Re:fix your ads by sit1963nz · · Score: 2

      Yep, Ghostery plus a big hosts file seems to fix a LOT of things.

      Any pages that I get redirected to are manually added to the hosts file. I only ever get redirected to a site once.

      And any site that detects I am using an ad blocker and stops me from entering is more than welcome to do so, I am FAR MORE willing to go elsewhere than whitelist your site.

    5. Re:fix your ads by Anonymous Coward · · Score: 2, Interesting

      Because it's not the ads, it's the browser.

      To give you an idea, If I have a website, and I have an iframe, I expect that everything that appears in that damn iframe to stay in the iframe. Yet time and time again script inside the iframe is able to do shit to document, window and top DOM's. This is a defect in the browser's own sandboxing and overflow clipping.

      If the developer console is open, it shouldn't even redirect at all. So good luck trying to stop a redirect when you don't know where it is fucking coming from because the browser won't sandbox the fucking thing.

    6. Re:fix your ads by DontBeAMoran · · Score: 2

      Really? That's cool. Thanks for sharing that with us, it helps a lot!

      --
      #DeleteFacebook
    7. Re:fix your ads by danomac · · Score: 1

      I use NoRedirect on FIrefox, and it's surprising how many sites do redirections. Ads are blocked, I'm talking about actual site redirections that want to send me to a different domain.

    8. Re:fix your ads by BenFranske · · Score: 1

      What redirections are actually being blocked though? Lots of web servers actually use HTTP redirection messages legitimately for forcing HTTPS for example. This is typically done with HTTP 301 and 302 messages which I hope would not be blocked.

    9. Re:fix your ads by KiloByte · · Score: 1

      One of worst offenders: google.com. Hover over a link, see where it leads. Click. Or even, left-click hold drag and cancel (esc) or right-click.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    10. Re:fix your ads by danomac · · Score: 1

      I don't recall ever seeing a redirect prompting for a redirection to the same domain. The ones it stops are when it redirects to a different domain.

  2. Why cant we by DarkRookie · · Score: 1

    Why can't we just remove the ability of JavaScript to open new windows/tabs. Is doesnt seem like this feature is use all that much except for popping up ads.

    --
    The millennial that doesn't like most of the stuff designed for millennials.
    1. Re:Why cant we by subanark · · Score: 1

      They do, but javascript can move a fully transparent link that fills the page which sends you to another page. This is why popups only appear when you click on the page, and you can tell it is there as the cursor doesn't change as you hover real links on the page.

    2. Re: Why cant we by Anonymous Coward · · Score: 1

      The problem in question isn't a new window or tab... it's redirecting the current page.

    3. Re: Why cant we by DarkRookie · · Score: 1

      Lets get of the redirects while we are at it.

      --
      The millennial that doesn't like most of the stuff designed for millennials.
  3. Better idea... by green1 · · Score: 2, Insightful

    Maybe google could quit giving top rank in it's search engine to sites that do this. I don't care if someone wants to make a site like this, I care that when I search for a useful site I get one of these instead.

    1. Re:Better idea... by omnichad · · Score: 1

      Giving iframes any access to the parent window is bad, except maybe passing messages via JavaScript. However, in the parent window itself, JavaScript tends to have most of the same "rights" as the user - it can embed a link in the page and then click on it - what's the practical difference between that and a redirect?

    2. Re:Better idea... by green1 · · Score: 1

      Redirect all you want. But if all the content that brought the search engine there is hidden by said re-direct, the search engine should stop sending people there (as they can't see what they came to see). Alternatively if all the content is after the redirect, that's the page the search engine should take people to, not the first page that does nothing but redirect the user.

      Having the search engine look for this would eliminate the bs spamvertising sites without affecting a single legitimate use.

    3. Re:Better idea... by green1 · · Score: 1

      And how is that in any way related to my comment?

      If a page is written with lots of content so as to get users to click on the link in the search engine, but the user can't actually see the content because they'll be redirected away instead, the search engine shouldn't send users to the site, it's not like they can get at what they came to see anyway. That's what "bait and switch" is.

      Google can obviously detect the practice, as Chrome is going to do so, so why not implement it as part of their search engine instead, that would provide far more value than in the browser. I'd much rather avoid clicking on the link in the first place than click on it and then get a message explaining what happened when I couldn't find the content I came for.

    4. Re:Better idea... by omnichad · · Score: 1

      That's not the issue, and the main point is this: If it's not in the iframe, then it's the sites own fault rather than a rogue advertiser.

      Rogue redirects don't necessarily happen right on page load - and iframes could be advertisers that are different on every single page load. This could be triggered at any point via JavaScript. I don't know if Google runs a full JavaScript engine on their indexing spider, but it's asking an awful lot to expect that. While the browser actually always runs the code and can interrupt this just before it happens.

      There are legitimate needs for redirects besides bait and switch, so blocking everything is just going to cause more problems than it solves.

  4. Nope, bad idea. by spaceman375 · · Score: 1

    This is how websites know when you leave. It takes more cpu power to figure out from logs when you left, with no clue where to or via what link, than if they use an "exit server." I read Fark every day. All their links are to Fark Redirects. I am happy to let them know which links I followed to leave their site. No cpu eating javascript needed on my side; nice, clean standard html tells them what links are worthy of my attention.
          Bait and switch as described in the upcoming "fix" where the new tab or window has what you want while the original goes elsewhere DOES suck, I welcome blocking it, but plain redirects are a worthwhile part of the spec. Leave it alone & fix the ads instead.

    --
    On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
    1. Re:Nope, bad idea. by Northdot · · Score: 1

      It sounds to me more like chrome will be blocking redirects that occur via javascript (ie. the "3rd party content" they talk about). So this shouldn't affect the HTTP header redirects that are produced by the originating server (which is how most exit link redirects are implemented).

    2. Re:Nope, bad idea. by fermion · · Score: 1
      Also, if they fully implement this, it will kill gmail. Every time I accidentally hit my gmail bookmark, i can't just go back to my original page. Gmail is one of the many websites where the ridiculous use of redirects kills the back button. That way there is no easy way for the user to leave the page.

      Probably if google would stop pioneering such malicious techniques, other websites would not consider them so acceptable.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  5. Too bad. by sootman · · Score: 1

    When I first saw the headline, I read 'Chrome' but thought 'Google' and my thought was "Oh great, Google is going to start penalizing sites where you do a Google search but the page does not contain the text that was shown in the Google result."

    As for the issue actually being discussed, I've never even seen that happen.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    1. Re:Too bad. by DarkRookie · · Score: 1

      Not enough bombs in the world for this.

      --
      The millennial that doesn't like most of the stuff designed for millennials.
    2. Re:Too bad. by Anonymous Coward · · Score: 1

      As for the issue actually being discussed, I've never even seen that happen.

      Hey guys, this guy doesn't watch porn. Get him!

    3. Re:Too bad. by Quirkz · · Score: 1

      As for the issue actually being discussed, I've never even seen that happen.

      I had it on my phone a few times, where I'd follow a link, see it for a second, and then get shuttled off to an advertising page. Usually with no back button functionality. I got it to stop by installing an ad blocker. I haven't seen it on my laptop, but I'm always running an ad blocker there, so that's probably why.

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
  6. Re:URL shorteners by Anonymous Coward · · Score: 1

    Nope.

    This is (presumably) going to prevent non-transparant redirects, eg ones invoked by window.top.location without user interaction. You know, the kind that the website doesn't get more than a few seconds to be seen before being sent off to shitty phishing ads.

  7. Oh look, msmash copies and pastes juveline vocab by RightwingNutjob · · Score: 1

    in the headline. Color me surprised.

  8. Re:Ghostery = advertiser owned... apk by DontBeAMoran · · Score: 2

    What about https://pi-hole.net/ ?

    I'd rather have one device block everything via host names than having to configure every single device I own, some of them without that ability (ex: iPhone).

    --
    #DeleteFacebook
  9. use Ghostery if you prefer Firefox by swell · · Score: 1

    The Ghostery add-on has been doing this for a long time.

    In fact redirects happen most often for me in Google search results.
    Click on an ad and Google re-routs the resulting links so that they get credit for their ad.
    I'd guess that Chrome will NOT block that kind of bait and switch.
    But Ghostery pops up a little window that says:

    "Ghostery prevented a redirect from
    www.google.com to www.googleadservices.com,
    which is part of Google Adsense. " ...

    --
    ...omphaloskepsis often...
  10. What sites would that be? by drew_kime · · Score: 1

    Chrome 65, due a few weeks later, will squelch another unwelcome action that can happen when you click a link and the website opens in a new tab while switching the existing tab to a page you didn't request.

    Somebody's been viewing porn.

    --
    Nope, no sig
  11. Re:Ghostery = advertiser owned... apk by tepples · · Score: 1

    How well does Pi-hole work when you are browsing through a public Wi-Fi hotspot or over cellular Internet? How well would it work for someone whose home ISP blocks connections to devices on his LAN from the Internet? A local DNS blacklist doesn't require running a server

  12. Re:pi-hole = complexity & costs vs. hosts... a by tepples · · Score: 1

    Unless one of the following is the case:

    A. The model of Android device that you own has no root exploit.
    B. You depend on applications that incidentally detect whether a particular Android device is rooted and refuse to run if it is, "for your security."
    C. It's a bring-your-own-device (BYOD) situation, where the network administrator lacks "sufficient rights" over visitors' devices.
    D. An adtech server rotates among millions of wildcard subdomains. (Unlike DGAs used by malware, wildcard subdomains incur no extra cost to register a domain.)

  13. Re:Ghostery = advertiser owned... apk by ncc74656 · · Score: 1

    What about https://pi-hole.net/ ?

    I'd rather have one device block everything via host names than having to configure every single device I own, some of them without that ability (ex: iPhone).

    There are adblockers for iOS that don't need jailbreaking, just as there are adblockers for Android that don't need root. They work by setting up an on-device VPN and routing all traffic through that.

    ...or at least there were at one time. I had one on my wife's iPad 2. A quick search just now for them, though, indicates that Apple is weeding them out of the App Store in favor of something called a "Safari Content Blocker," which isn't likely to be systemwide. (I've not kept up with iOS and the devices it runs on much since switching my phone over to Android. I have an iPad 3 that I keep around as a PDF reader, but it no longer receives updates.)

    In any case, I'm about to take you up on that Pi-Hole idea as soon as the parts for it arrive. You can't install an adblocker on a Roku, so the block needs to go somewhere outside the device.

    --
    20 January 2017: the End of an Error.
  14. Re:Lol, so Chrome didn't have this yet? by TigerPlish · · Score: 1

    Firefox has done that for as long as I can remember (Options->Advanced->Warn me when pages redirect).

    But then I stopped updating FF when they started fucking it up, so maybe that's gone now.

    Can't find the option now, and I've never set it, but FF .. whatever the latest version is right now.. 56.0.2.. it warned me the other day about a re-direct. Default behavior.

    --
    The "Civilized World" jumped the shark ca. 1973.
  15. Re:LOL, knew YOU'd show up... apk by tepples · · Score: 1

    You're DUMB if you don't use a rooted "dumbphone"

    Selling your unrootable device probably won't provide enough revenue to buy a rootable one.

    the network administrator lacks "sufficient rights" over visitors' devices

    That's NOT a TRUE administrator then

    I detect a "no true Scotsman" fallacy here. So for purposes of this comment, I'll define "true administrator" to mean "administrator of all devices connected to a particular IP LAN", and "guest network" as a LAN operated by someone other than a true administrator.

    Hosts is fine for a true administrator. But not everyone has the luxury of being a true administrator; some people have a reason to operate a guest network. For these, a DNS filter component can run on the gateway appliance that already manages the guest network. And many of these can take list files generated using your app.

    IF I was the controller of the IP stack itself? I'd do a 'wildcard' @ considerably LESS expense in hosts

    On this, I wholeheartedly agree. Have you considered writing a patch for the resolvers in the Linux and FreeBSD kernels?

  16. Re:Lol, so Chrome didn't have this yet? by justthinkit · · Score: 1

    What about a redirect within a web site? If "page.html" moves to "Bozo-The-Clown.html" on the same web site, and "page.html" gets edited to redirect you, should there be any blocking?

    --
    I come here for the love
  17. How about an absolute popup block? by satsuke · · Score: 2

    How about Chrome implement an absolute popup block, or at least a notification before opening one.

    Even to this day, with the "block popups" option ticked, there are sites that do a trick to launch additional windows.

    1. Re:How about an absolute popup block? by pepsikid · · Score: 1

      Exactly! It's like, decades pass and all "popup blockers" still do is watch for popups and try to quickly close them again. Why in hell can not a browser's code, specifically that which creates a new window and fills it with the specified contents, be flatly disabled? It's such a specific action. Hell, why not compile a browser which simply cannot open new windows? Fuxing simple!

  18. require HTTPS for ads! by nicoleb_x · · Score: 1

    It seems that most scummy ad links are http. So just blocking links to ads that are not https would solve this real quick.

  19. Re:"Ask & ye DID receive" (deleting this too?) by HyperQuantum · · Score: 1

    Can't we add this APK guy to our hosts file or something?

    --
    I am not really here right now.
  20. How does Chrome know... by MoarSauce123 · · Score: 1

    ...what is a desired redirect and what not? Redirects are a common practice and ideally inform the user that they will be redirected. Often times this is not done, for example, when using an identity provider. The users hits the targeted page, lacks authentication, gets redirected to the identity provider, once authenticated a redirect is made to the originally requested site with authentication and claims stuffed inside a cookie. For the user this looks like a seamless transition although two redirects are involved.

  21. Slashdot served ads like this a few months ago by MobyDisk · · Score: 1

    A few months ago, Slashdot had ads that were intermittently doing this. Web site operators need to ditch ad companies that do this stuff.

    How about a Chome plug-in that detects sites that do this, and begins an automatic DDOS against the site? Everyone installing the plug-in would become a participant.