Please create an account to participate in the Slashdot moderation system


Forgot your password?
Google Chrome

Chrome Will Whack Website Bait-and-Switch Tactics ( 76

Starting next year, Google's Chrome browser will stamp out some shenanigans that send you to a website you didn't expect. From a report: You probably don't like it when you navigate to a particular web page and then your browser unexpectedly jumps to another page -- an action called a redirect and something the website publisher didn't even want to happen. With Chrome 64, in testing now and due to ship early next year, Chrome will block that kind of bait and switch, Google said. "We've found that this redirect often comes from third-party content embedded in the page, and the page author didn't intend the redirect to happen at all," Google product manager Ryan Schoen said in a blog post. Chrome 64 will block the redirect action and instead show an information bar telling you what happened. That's not all. Chrome 65, due a few weeks later, will squelch another unwelcome action that can happen when you click a link and the website opens in a new tab while switching the existing tab to a page you didn't request.
This discussion has been archived. No new comments can be posted.

Chrome Will Whack Website Bait-and-Switch Tactics

Comments Filter:
  • fix your ads (Score:4, Insightful)

    by Anonymous Coward on Wednesday November 08, 2017 @05:22PM (#55515679)
    how about instead fix your fucking ads that are rife with this shit so it isn't necessary to have this kind of feature or better yet auto block ad providers.
    • Re: (Score:3, Insightful)

      by sexconker ( 1179573 )

      Fuck that. Just block the ads. The internet is a cesspool, and I'm not talking about the smut.

      • by desdinova 216 ( 2000908 ) on Wednesday November 08, 2017 @05:27PM (#55515713)
        incoming remark about hosts files in 3...2...1...
      • I think I just figured out why Google is making this change to Chrome.
      • Yep, Ghostery plus a big hosts file seems to fix a LOT of things.

        Any pages that I get redirected to are manually added to the hosts file. I only ever get redirected to a site once.

        And any site that detects I am using an ad blocker and stops me from entering is more than welcome to do so, I am FAR MORE willing to go elsewhere than whitelist your site.
      • I use NoRedirect on FIrefox, and it's surprising how many sites do redirections. Ads are blocked, I'm talking about actual site redirections that want to send me to a different domain.

        • What redirections are actually being blocked though? Lots of web servers actually use HTTP redirection messages legitimately for forcing HTTPS for example. This is typically done with HTTP 301 and 302 messages which I hope would not be blocked.

          • I don't recall ever seeing a redirect prompting for a redirection to the same domain. The ones it stops are when it redirects to a different domain.

        • One of worst offenders: Hover over a link, see where it leads. Click. Or even, left-click hold drag and cancel (esc) or right-click.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Because it's not the ads, it's the browser.

      To give you an idea, If I have a website, and I have an iframe, I expect that everything that appears in that damn iframe to stay in the iframe. Yet time and time again script inside the iframe is able to do shit to document, window and top DOM's. This is a defect in the browser's own sandboxing and overflow clipping.

      If the developer console is open, it shouldn't even redirect at all. So good luck trying to stop a redirect when you don't know where it is fucking co

    • by AmiMoJo ( 196126 )

      I remember when Firefox would be introducing this kind of thing, looking out for the user and giving them a better experience. Instead the just keep making their own UI worse.

      Ads will always be malicious, that will never change.

  • Why can't we just remove the ability of JavaScript to open new windows/tabs. Is doesnt seem like this feature is use all that much except for popping up ads.
    • They do, but javascript can move a fully transparent link that fills the page which sends you to another page. This is why popups only appear when you click on the page, and you can tell it is there as the cursor doesn't change as you hover real links on the page.

    • by Anonymous Coward

      The problem in question isn't a new window or tab... it's redirecting the current page.

  • Better idea... (Score:3, Insightful)

    by green1 ( 322787 ) on Wednesday November 08, 2017 @06:04PM (#55515911)

    Maybe google could quit giving top rank in it's search engine to sites that do this. I don't care if someone wants to make a site like this, I care that when I search for a useful site I get one of these instead.

    • Giving iframes any access to the parent window is bad, except maybe passing messages via JavaScript. However, in the parent window itself, JavaScript tends to have most of the same "rights" as the user - it can embed a link in the page and then click on it - what's the practical difference between that and a redirect?

      • by green1 ( 322787 )

        And how is that in any way related to my comment?

        If a page is written with lots of content so as to get users to click on the link in the search engine, but the user can't actually see the content because they'll be redirected away instead, the search engine shouldn't send users to the site, it's not like they can get at what they came to see anyway. That's what "bait and switch" is.

        Google can obviously detect the practice, as Chrome is going to do so, so why not implement it as part of their search engine

        • That's not the issue, and the main point is this: If it's not in the iframe, then it's the sites own fault rather than a rogue advertiser.

          Rogue redirects don't necessarily happen right on page load - and iframes could be advertisers that are different on every single page load. This could be triggered at any point via JavaScript. I don't know if Google runs a full JavaScript engine on their indexing spider, but it's asking an awful lot to expect that. While the browser actually always runs the code and c

  • This is how websites know when you leave. It takes more cpu power to figure out from logs when you left, with no clue where to or via what link, than if they use an "exit server." I read Fark every day. All their links are to Fark Redirects. I am happy to let them know which links I followed to leave their site. No cpu eating javascript needed on my side; nice, clean standard html tells them what links are worthy of my attention.
    Bait and switch as described in the upcoming "fix" where

    • It sounds to me more like chrome will be blocking redirects that occur via javascript (ie. the "3rd party content" they talk about). So this shouldn't affect the HTTP header redirects that are produced by the originating server (which is how most exit link redirects are implemented).

    • by fermion ( 181285 )
      Also, if they fully implement this, it will kill gmail. Every time I accidentally hit my gmail bookmark, i can't just go back to my original page. Gmail is one of the many websites where the ridiculous use of redirects kills the back button. That way there is no easy way for the user to leave the page.

      Probably if google would stop pioneering such malicious techniques, other websites would not consider them so acceptable.

  • When I first saw the headline, I read 'Chrome' but thought 'Google' and my thought was "Oh great, Google is going to start penalizing sites where you do a Google search but the page does not contain the text that was shown in the Google result."

    As for the issue actually being discussed, I've never even seen that happen.

    • by Anonymous Coward

      As for the issue actually being discussed, I've never even seen that happen.

      Hey guys, this guy doesn't watch porn. Get him!

    • by Quirkz ( 1206400 )

      As for the issue actually being discussed, I've never even seen that happen.

      I had it on my phone a few times, where I'd follow a link, see it for a second, and then get shuttled off to an advertising page. Usually with no back button functionality. I got it to stop by installing an ad blocker. I haven't seen it on my laptop, but I'm always running an ad blocker there, so that's probably why.

  • in the headline. Color me surprised.
  • The Ghostery add-on has been doing this for a long time.

    In fact redirects happen most often for me in Google search results.
    Click on an ad and Google re-routs the resulting links so that they get credit for their ad.
    I'd guess that Chrome will NOT block that kind of bait and switch.
    But Ghostery pops up a little window that says:

    "Ghostery prevented a redirect from to,
    which is part of Google Adsense. " ...

  • Chrome 65, due a few weeks later, will squelch another unwelcome action that can happen when you click a link and the website opens in a new tab while switching the existing tab to a page you didn't request.

    Somebody's been viewing porn.

  • by satsuke ( 263225 ) on Wednesday November 08, 2017 @11:49PM (#55517443)

    How about Chrome implement an absolute popup block, or at least a notification before opening one.

    Even to this day, with the "block popups" option ticked, there are sites that do a trick to launch additional windows.

    • Exactly! It's like, decades pass and all "popup blockers" still do is watch for popups and try to quickly close them again. Why in hell can not a browser's code, specifically that which creates a new window and fills it with the specified contents, be flatly disabled? It's such a specific action. Hell, why not compile a browser which simply cannot open new windows? Fuxing simple!

  • It seems that most scummy ad links are http. So just blocking links to ads that are not https would solve this real quick.
  • ...what is a desired redirect and what not? Redirects are a common practice and ideally inform the user that they will be redirected. Often times this is not done, for example, when using an identity provider. The users hits the targeted page, lacks authentication, gets redirected to the identity provider, once authenticated a redirect is made to the originally requested site with authentication and claims stuffed inside a cookie. For the user this looks like a seamless transition although two redirects are
  • A few months ago, Slashdot had ads that were intermittently doing this. Web site operators need to ditch ad companies that do this stuff.

    How about a Chome plug-in that detects sites that do this, and begins an automatic DDOS against the site? Everyone installing the plug-in would become a participant.

Any sufficiently advanced technology is indistinguishable from a rigged demo.