Slashdot Mirror
Google Working on Blocking Back Button Hijacking in Chrome (zdnet.com)
Google engineers are currently working on a Chrome browser update that will block malicious websites from hijacking the browser's history and, indirectly, the Back button. From a report: The issue at hand is a well-known tactic often seen employed by many shady sites across the Internet. A user would visit a website, then he'd accidentally click or tap on an ad, and be taken to a new page. But when the user presses the Back button to go back to the previous page, the browser just reloads the same page over and over again, keeping the user trapped on the ad page. [...] Recent source code updates to the Chromium project, the open-source browser engine behind the Chrome browser, reveal that Google engineers are planning to crack down on this type of abusive behavior. These code updates will allow Chrome to detect when browser history entries have been generated by user interaction, or by an automated method.
I'm curious if they are going to discriminate between legitimate and illegitimate forms of updating the browse history. On some of my single-page apps I change where the back-button takes them. Not to trap them, but to provide functionality. I wonder if this is going to be blocked for everyone, or just the people who set up an infinite loop of back buttons leading to the same page.
"That's the way to do it" - Punch
That's fine when every click loads a new page, but If a click simply loads new content into the same page, it makes sense to tweak the history in those cases to make the back button work as expected.
I have encountered several fairly well-known news sites that fool with the back button, making it difficult to back up past their home page.
Even more than this, I would love to see the browser people find a way to absolutely, positively block auto-play videos. The one at the top of a news story is irritating, but when you scroll past it and a little clone of the window pops up in the right margin and starts playing it really gets on my nerves.
If you came from a different domain name, then the back button has probably been hijacked.
Also, all they have to do is add a property to the history log: user click vs script modification.
#DeleteFacebook
Since the first time I loaded up Mosaic, I have expected the back button to take me back. Not sideways.
If you're using AJAX within a webpage though, sometimes you expect the back button to take you to what you were previously viewing NOT make you leave the site altogether. If a single page is dynamically updating content based upon what you click on, you probably want script manipulation of the back button.
Example, I have a table of widgets- I click on a widget and it loads details (you haven't changed website or been forwarded to a new address)... if you click the back button you probably want it to return you to the table; not have it exit the webpage completely. There are times you don't want the back button to actually take you back to the real actual previous webpage.
"That's the way to do it" - Punch
They usually flood the navigation history with many bogus entries, so you'd have to click Back a hundred times to actually go back. That would be easy to detect.
If they are more intelligent and just use a single bogus history entry, and when it is navigated to always create another, well that is easy to detect too.
Another way to solve this is to only allow as many navigation history events to be added as there are user interactions. So if the user doesn't interact at all, no navigation history events can be added, thus hitting the back button gets you straight out of there.
I can't think of any legitimate reasons to be adding anything to the back history as soon as you visit a web page.
Better known as 318230.
Presto Opera (e.g. =12.x) had this feature years ago. Glad that we are slowly catching up to Opera's feature set...
This isn't talkong about an Angular app with routing that uses back properly. It is talking about automatic redirects like HTTP 301 or meta refresh tags. For those the sokution is easy, Firefox has done this for years. If you hit back, and the page then auto-redirects you immediately, ignore the redirect. The user then just has to hit back a few times, but at least they aren't stuck. Even better would be if hitting back went back to the most recent page that did not have an automatic redirect in it.
I can see what you're getting at. In some cases, when a user navigates through a web page that is built and displayed dynamically through javascript without reloading its parent page, a user might expect that hitting "back" would take them to the previous frame of whatever content they last navigated through. They could become annoyed when "back" actually takes them wherever they were before arriving at the site initially and losing all their progress.
But I don't agree that selectively modifying "back" button functionality is a good solution to the problem. Either browsers should agree that "back" means go back to the previously viewed content and allow pages to easily add actions taken on the page to the browser history or "back" should mean "always load the last parent page I went to." Right now it means the latter. I wouldn't be opposed to the former, but until that becomes a standard I feel the onus is on the developer to expect the "back" button to always have the same effect and not try to modify around it.
I also understand that the browser allows you to modify how things like the back button work. I just personally wouldn't build important functionality in my site around something the browser normally controls, and wouldn't be terribly surprised if it stopped working the way I'd originally intended after a browser update.
I can appreciate the logic if you developing an web-based application like Gmail. An advertisement hijacking the webpage is not an application, it's scammy and evil. I don't know what is worse scammy hijack advertisers or sites that allow them and offer a paid ad-free subscription. I have nothing against paid subscriptions (I even have some), but making your ad-supported version user hostile is also evil.
I also understand that the browser allows you to modify how things like the back button work. I just personally wouldn't build important functionality in my site around something the browser normally controls, and wouldn't be terribly surprised if it stopped working the way I'd originally intended after a browser update.
Well, the answer is you don't build important functionality into the back-button, you give other options and try to get the user to use those other options for navigating; HOWEVER, you can't control a user and can't prevent them clicking the back-button if they really want to (all you can do is try to handle it gracefully if they do). In an ideal world the end-user wouldn't use the back button from navigating in a web-application; but you can't easily prevent them.
"That's the way to do it" - Punch
I'm perfectly happy with web sites that do nothing until I click on a link. Everything I've seen that relies on JS tricks is just bad UX and we're better off without it. From the evidence before me, JS is used entirely to make the UX suck.
But, still, the average Web UX is vastly better than the average mobile app UX, so it's go that going for it. Sadly, mobile app UX brain damage is starting to leak into web design, so all hope will eventually be lost.
Socialism: a lie told by totalitarians and believed by fools.
They have turned it off for quite some time now and if they made sure it never happened when you were in a textbox I wouldn't have minded it. But CTRL Left arrow doesn't work and I don't know if it ever worked on Chrome, but it has on some browser.
And then in that case, you take control of the back button so it doesn't break the experience.
No, in that case you provide a clearly marked Back button or link as part of YOUR interface. If necessary, you add a brief explanation as to why YOUR back button is better in the current context than the browser's Back button. Don't be messing with MY interface - Home, Forward, Back, and Stop buttons. When you screw with those, you've 'broken the experience' by definition, you've created non-standard behaviour, and you've pissed me off to the extent that your site is on my shitlist and I won't be visiting it again.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
The reality is you are probably experiencing this history rewriting on tons of sites without even realizing it, but you don't have a problem with it because it works "as expected".