Slashdot Mirror
Google Working on Blocking Back Button Hijacking in Chrome (zdnet.com)
Google engineers are currently working on a Chrome browser update that will block malicious websites from hijacking the browser's history and, indirectly, the Back button. From a report: The issue at hand is a well-known tactic often seen employed by many shady sites across the Internet. A user would visit a website, then he'd accidentally click or tap on an ad, and be taken to a new page. But when the user presses the Back button to go back to the previous page, the browser just reloads the same page over and over again, keeping the user trapped on the ad page. [...] Recent source code updates to the Chromium project, the open-source browser engine behind the Chrome browser, reveal that Google engineers are planning to crack down on this type of abusive behavior. These code updates will allow Chrome to detect when browser history entries have been generated by user interaction, or by an automated method.
But I'm sure there will be some of this
https://xkcd.com/1172/
Store date and url.
Remove all urls displayed less than 3s.
I suspect the notice fails to mention this feature is not entirely new.
I remember that in a few shadier sites I used in the past for watching movies, the redirects did not go into the history, I had to monitor DNS when I was trying to blacklisting them, however they changed them every day, and then I resorted to whitelisting.
Maybe some shadier sites found out strategies to get around it, but then the newspiece is not entirely clear on that feature not being entirely new.
WTF are you talking about? It sounds like Google is solving a problem with navigation that a lot of sites are creating. Even facebook has the problem that when you click "back" you don't go back to the previous page you were on, you stay on facebook.
The embrace of "use javascript to do whatever the fuck you want" has really come back to bite users. It makes people money, so it's not going anywhere until someone gets fed up with all the cat and mouse games and makes a legit system that doesn't rely on it.
Anons need not reply. Questions end with a question mark.
Teach your idiot friends and family how to use Task Manager to kill the Chrome process, instead of calling the "Microsoft Support" number and giving them your credit card number!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I'm curious if they are going to discriminate between legitimate and illegitimate forms of updating the browse history. On some of my single-page apps I change where the back-button takes them. Not to trap them, but to provide functionality. I wonder if this is going to be blocked for everyone, or just the people who set up an infinite loop of back buttons leading to the same page.
"That's the way to do it" - Punch
On some of my single-page apps I change where the back-button takes them.
Since the first time I loaded up Mosaic, I have expected the back button to take me back. Not sideways.
Website = One platform. All users are always up-to-date.
Application = A minimum of five platforms: Windows, Mac, Linux, iOS, Android. All users need to update the application themselves.
Guess which one is cheaper to develop for? And before you say "cross-platform compiler", remember that these make crap UIs for each platform.
#DeleteFacebook
Most likely, they will track the source of the history update and ignore it if isn't a click. Additionally, they will likely squash multiple history updates from a single click into one.
That's fine when every click loads a new page, but If a click simply loads new content into the same page, it makes sense to tweak the history in those cases to make the back button work as expected.
I have encountered several fairly well-known news sites that fool with the back button, making it difficult to back up past their home page.
Even more than this, I would love to see the browser people find a way to absolutely, positively block auto-play videos. The one at the top of a news story is irritating, but when you scroll past it and a little clone of the window pops up in the right margin and starts playing it really gets on my nerves.
If you came from a different domain name, then the back button has probably been hijacked.
Also, all they have to do is add a property to the history log: user click vs script modification.
#DeleteFacebook
You're the one who visited the application website.
#DeleteFacebook
And the websites don't have a crappy UI?
Strange things are afoot at the Circle-K.
Since the first time I loaded up Mosaic, I have expected the back button to take me back. Not sideways.
If you're using AJAX within a webpage though, sometimes you expect the back button to take you to what you were previously viewing NOT make you leave the site altogether. If a single page is dynamically updating content based upon what you click on, you probably want script manipulation of the back button.
Example, I have a table of widgets- I click on a widget and it loads details (you haven't changed website or been forwarded to a new address)... if you click the back button you probably want it to return you to the table; not have it exit the webpage completely. There are times you don't want the back button to actually take you back to the real actual previous webpage.
"That's the way to do it" - Punch
They usually flood the navigation history with many bogus entries, so you'd have to click Back a hundred times to actually go back. That would be easy to detect.
If they are more intelligent and just use a single bogus history entry, and when it is navigated to always create another, well that is easy to detect too.
Another way to solve this is to only allow as many navigation history events to be added as there are user interactions. So if the user doesn't interact at all, no navigation history events can be added, thus hitting the back button gets you straight out of there.
I can't think of any legitimate reasons to be adding anything to the back history as soon as you visit a web page.
Better known as 318230.
Presto Opera (e.g. =12.x) had this feature years ago. Glad that we are slowly catching up to Opera's feature set...
This isn't talkong about an Angular app with routing that uses back properly. It is talking about automatic redirects like HTTP 301 or meta refresh tags. For those the sokution is easy, Firefox has done this for years. If you hit back, and the page then auto-redirects you immediately, ignore the redirect. The user then just has to hit back a few times, but at least they aren't stuck. Even better would be if hitting back went back to the most recent page that did not have an automatic redirect in it.
^ This.
If all I need to do is send a XHR request for a few to hundreds of KB to render what is required, why reload the page and all the dependencies and images (let's ignore caching for argument sake). Sure, the front-load of a few MB for the whole application is a few seconds, but the rest of your experience is immediate and responsive.
Don't you wait for Photoshop, Word, Outlook, whatever-game-you-play etc to finish loading before you start using it?
This idea works well for pages where I will be visiting for hours on end, Inbox (stb gmail...), work websites, music, calendars, forums, whatever. The catch being the developers need to know how garbage collection works.
And then in that case, you take control of the back button so it doesn't break the experience.
I can see what you're getting at. In some cases, when a user navigates through a web page that is built and displayed dynamically through javascript without reloading its parent page, a user might expect that hitting "back" would take them to the previous frame of whatever content they last navigated through. They could become annoyed when "back" actually takes them wherever they were before arriving at the site initially and losing all their progress.
But I don't agree that selectively modifying "back" button functionality is a good solution to the problem. Either browsers should agree that "back" means go back to the previously viewed content and allow pages to easily add actions taken on the page to the browser history or "back" should mean "always load the last parent page I went to." Right now it means the latter. I wouldn't be opposed to the former, but until that becomes a standard I feel the onus is on the developer to expect the "back" button to always have the same effect and not try to modify around it.
I also understand that the browser allows you to modify how things like the back button work. I just personally wouldn't build important functionality in my site around something the browser normally controls, and wouldn't be terribly surprised if it stopped working the way I'd originally intended after a browser update.
But isn't the back button breaking web apps a good argument to allow it to go back to the previous page? Then your web app wouldn't have to worry about it.
If they could get away with it. They'd make you listen to their "copy" and buy whatever it is they are selling. And they'd have no moral objection to it.
Corporatism != Free Market
Users accidentally tap/click an ad? Sorry to report but some ads hijack the website and auto-redirect to these scam ads. Then I'm stuck with a popup "you've won a free XYZ" and the back-button doesn't work. And the only way out is to close the tab.
I can appreciate the logic if you developing an web-based application like Gmail. An advertisement hijacking the webpage is not an application, it's scammy and evil. I don't know what is worse scammy hijack advertisers or sites that allow them and offer a paid ad-free subscription. I have nothing against paid subscriptions (I even have some), but making your ad-supported version user hostile is also evil.
I also understand that the browser allows you to modify how things like the back button work. I just personally wouldn't build important functionality in my site around something the browser normally controls, and wouldn't be terribly surprised if it stopped working the way I'd originally intended after a browser update.
Well, the answer is you don't build important functionality into the back-button, you give other options and try to get the user to use those other options for navigating; HOWEVER, you can't control a user and can't prevent them clicking the back-button if they really want to (all you can do is try to handle it gracefully if they do). In an ideal world the end-user wouldn't use the back button from navigating in a web-application; but you can't easily prevent them.
"That's the way to do it" - Punch
Dang but I love script blockers.
Sorry, I was typing it on my phone, LOL!
With Firefox, hold down the back button (well, on the desktop versions) and it displays a history of pages. So you can go back two pages, or 3, or more with one click. That helps to get around the nasty ones.
Slashdot does this too when accessing the site from Chrome on Android. Clicking the number of comments on a story attempts to open multiple popups, then directs you to sites full of redirects. The real problem is web site operators allowing advertising companies to put scripts onto the page. It wasn't so bad when the ads were square images with a single around them.
Or those who aren't web developers don't know the internals well enough to make an informed opinion.
So the next move is exploits that hijack opening a new tab. Several sites already interfere with ctrl-left mouse clicks that should open in a new tab. Bets on the availability to interfere with right click, open in new window/tab?
Inheritance is the sincerest form of nepotism.
They have turned it off for quite some time now and if they made sure it never happened when you were in a textbox I wouldn't have minded it. But CTRL Left arrow doesn't work and I don't know if it ever worked on Chrome, but it has on some browser.
And then in that case, you take control of the back button so it doesn't break the experience.
No, in that case you provide a clearly marked Back button or link as part of YOUR interface. If necessary, you add a brief explanation as to why YOUR back button is better in the current context than the browser's Back button. Don't be messing with MY interface - Home, Forward, Back, and Stop buttons. When you screw with those, you've 'broken the experience' by definition, you've created non-standard behaviour, and you've pissed me off to the extent that your site is on my shitlist and I won't be visiting it again.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
YouTube uses a similar technique, when a new video is opened it actually doesn't reload the page despite that the URL changes. The user might want to go back to continue watching the previous video. So how will Chrome know whether this technique is malicious or not? Please tell me if I'm wrong.
BTW, over the years I've experienced MANY warnings about not using the Back button, so it's not as though I just pulled the idea out of my ass.
Yeah... and it doesn't work. People still click the back button.
"That's the way to do it" - Punch
Not to trap them, but to provide functionality.
Nope. You've broken the concept of the back button as well as the usability guidelines for some operating systems. If you want to provide functionality you should do it via the appropriate means. Changing the defined functionality of something is not appropriate.
but If a click simply loads new content into the same page
Then you should make it clear to the user that the context of your page has a different interface than the standard one they expect, and not change the defined behaviour of an existing system which has a different functionality.
Yeah, that seems like the most reasonable approach. You only get one per click (or kb enter outside a textbox)
Someone had to do it.
Do you work for free? Your boss only allowed X hours to do the job. And your apps would need to be compatible with older devices no longer supported by the companies so what the fuck would you do?
#DeleteFacebook
The reality is you are probably experiencing this history rewriting on tons of sites without even realizing it, but you don't have a problem with it because it works "as expected".
The standard behavior is to let websites screw around with the browser's history. If it's done properly it's practically invisible - sure if you're watching for it you'll see the manipulation going on, but to most users the browser's back button does actually do what they expect it too and they are completely oblivious as to what actually happened and the technical details of how the website really works. However, like a lot of things on the web that were created to make things more user-friendly, this can also be abused by malicious and shitty websites that are up to no good or like being annoying.
However, if you really don't like it, why don't you take control of your browser and not allow websites to rewrite your browser's history? The source code behind the most popular browsers is available, so have at it. Or there may even be an extension available. Then you can go party like it's 1996 all over again.