Google Working on Blocking Back Button Hijacking in Chrome

Google engineers are currently working on a Chrome browser update that will block malicious websites from hijacking the browser's history and, indirectly, the Back button. From a report: The issue at hand is a well-known tactic often seen employed by many shady sites across the Internet. A user would visit a website, then he'd accidentally click or tap on an ad, and be taken to a new page. But when the user presses the Back button to go back to the previous page, the browser just reloads the same page over and over again, keeping the user trapped on the ad page. [...] Recent source code updates to the Chromium project, the open-source browser engine behind the Chrome browser, reveal that Google engineers are planning to crack down on this type of abusive behavior. These code updates will allow Chrome to detect when browser history entries have been generated by user interaction, or by an automated method.

Re:Curious how they tell legitimate from illegitim

[Dan+East]

They usually flood the navigation history with many bogus entries, so you'd have to click Back a hundred times to actually go back. That would be easy to detect.
If they are more intelligent and just use a single bogus history entry, and when it is navigated to always create another, well that is easy to detect too.

Another way to solve this is to only allow as many navigation history events to be added as there are user interactions. So if the user doesn't interact at all, no navigation history events can be added, thus hitting the back button gets you straight out of there.

I can't think of any legitimate reasons to be adding anything to the back history as soon as you visit a web page.

Re:Curious how they tell legitimate from illegitim

[Sumus+Semper+Una]

I can see what you're getting at. In some cases, when a user navigates through a web page that is built and displayed dynamically through javascript without reloading its parent page, a user might expect that hitting "back" would take them to the previous frame of whatever content they last navigated through. They could become annoyed when "back" actually takes them wherever they were before arriving at the site initially and losing all their progress.

But I don't agree that selectively modifying "back" button functionality is a good solution to the problem. Either browsers should agree that "back" means go back to the previously viewed content and allow pages to easily add actions taken on the page to the browser history or "back" should mean "always load the last parent page I went to." Right now it means the latter. I wouldn't be opposed to the former, but until that becomes a standard I feel the onus is on the developer to expect the "back" button to always have the same effect and not try to modify around it.

I also understand that the browser allows you to modify how things like the back button work. I just personally wouldn't build important functionality in my site around something the browser normally controls, and wouldn't be terribly surprised if it stopped working the way I'd originally intended after a browser update.