Chrome Will Whack Website Bait-and-Switch Tactics (cnet.com) 76
Starting next year, Google's Chrome browser will stamp out some shenanigans that send you to a website you didn't expect. From a report: You probably don't like it when you navigate to a particular web page and then your browser unexpectedly jumps to another page -- an action called a redirect and something the website publisher didn't even want to happen. With Chrome 64, in testing now and due to ship early next year, Chrome will block that kind of bait and switch, Google said. "We've found that this redirect often comes from third-party content embedded in the page, and the page author didn't intend the redirect to happen at all," Google product manager Ryan Schoen said in a blog post. Chrome 64 will block the redirect action and instead show an information bar telling you what happened. That's not all. Chrome 65, due a few weeks later, will squelch another unwelcome action that can happen when you click a link and the website opens in a new tab while switching the existing tab to a page you didn't request.
fix your ads (Score:4, Insightful)
Re: (Score:3, Insightful)
Fuck that. Just block the ads. The internet is a cesspool, and I'm not talking about the smut.
Re:fix your ads (Score:5, Funny)
Re: (Score:2)
Can't we add this APK guy to our hosts file or something?
Re: (Score:2)
Re: (Score:3)
Really? That's cool. Thanks for sharing that with us, it helps a lot!
Re: (Score:3)
Any pages that I get redirected to are manually added to the hosts file. I only ever get redirected to a site once.
And any site that detects I am using an ad blocker and stops me from entering is more than welcome to do so, I am FAR MORE willing to go elsewhere than whitelist your site.
Re: (Score:3)
What about https://pi-hole.net/ [pi-hole.net] ?
I'd rather have one device block everything via host names than having to configure every single device I own, some of them without that ability (ex: iPhone).
Re: (Score:2)
Unless one of the following is the case:
A. The model of Android device that you own has no root exploit.
B. You depend on applications that incidentally detect whether a particular Android device is rooted and refuse to run if it is, "for your security."
C. It's a bring-your-own-device (BYOD) situation, where the network administrator lacks "sufficient rights" over visitors' devices.
D. An adtech server rotates among millions of wildcard subdomains. (Unlike DGAs used by malware, wildcard subdomains incur no ex
Re: (Score:2)
You're DUMB if you don't use a rooted "dumbphone"
Selling your unrootable device probably won't provide enough revenue to buy a rootable one.
the network administrator lacks "sufficient rights" over visitors' devices
That's NOT a TRUE administrator then
I detect a "no true Scotsman" fallacy here. So for purposes of this comment, I'll define "true administrator" to mean "administrator of all devices connected to a particular IP LAN", and "guest network" as a LAN operated by someone other than a true administrator.
Hosts is fine for a true administrator. But not everyone has the luxury of being a true administrator; some people have a reason to operate a guest network.
Re: (Score:2)
How well does Pi-hole work when you are browsing through a public Wi-Fi hotspot or over cellular Internet? How well would it work for someone whose home ISP blocks connections to devices on his LAN from the Internet? A local DNS blacklist doesn't require running a server
Re: (Score:2)
There are adblockers for iOS that don't need jailbreaking, just as there are adblockers for Android that don't need root. They work by setting up an on-device VPN and routing all traffic through that.
...or at least there were at one time. I had one on my wife's iPad 2. A quick search just now for them, though, indic
Re: (Score:2)
I use NoRedirect on FIrefox, and it's surprising how many sites do redirections. Ads are blocked, I'm talking about actual site redirections that want to send me to a different domain.
Re: (Score:2)
What redirections are actually being blocked though? Lots of web servers actually use HTTP redirection messages legitimately for forcing HTTPS for example. This is typically done with HTTP 301 and 302 messages which I hope would not be blocked.
Re: (Score:2)
I don't recall ever seeing a redirect prompting for a redirection to the same domain. The ones it stops are when it redirects to a different domain.
Re: (Score:2)
One of worst offenders: google.com. Hover over a link, see where it leads. Click. Or even, left-click hold drag and cancel (esc) or right-click.
Re: (Score:2, Interesting)
Because it's not the ads, it's the browser.
To give you an idea, If I have a website, and I have an iframe, I expect that everything that appears in that damn iframe to stay in the iframe. Yet time and time again script inside the iframe is able to do shit to document, window and top DOM's. This is a defect in the browser's own sandboxing and overflow clipping.
If the developer console is open, it shouldn't even redirect at all. So good luck trying to stop a redirect when you don't know where it is fucking co
Re: (Score:1)
I remember when Firefox would be introducing this kind of thing, looking out for the user and giving them a better experience. Instead the just keep making their own UI worse.
Ads will always be malicious, that will never change.
Re: (Score:1)
Nope.
This is (presumably) going to prevent non-transparant redirects, eg ones invoked by window.top.location without user interaction. You know, the kind that the website doesn't get more than a few seconds to be seen before being sent off to shitty phishing ads.
Why cant we (Score:1)
Re: (Score:2)
They do, but javascript can move a fully transparent link that fills the page which sends you to another page. This is why popups only appear when you click on the page, and you can tell it is there as the cursor doesn't change as you hover real links on the page.
Re: Why cant we (Score:1)
The problem in question isn't a new window or tab... it's redirecting the current page.
Re: (Score:1)
Better idea... (Score:3, Insightful)
Maybe google could quit giving top rank in it's search engine to sites that do this. I don't care if someone wants to make a site like this, I care that when I search for a useful site I get one of these instead.
Re: (Score:2)
Giving iframes any access to the parent window is bad, except maybe passing messages via JavaScript. However, in the parent window itself, JavaScript tends to have most of the same "rights" as the user - it can embed a link in the page and then click on it - what's the practical difference between that and a redirect?
Re: (Score:2)
And how is that in any way related to my comment?
If a page is written with lots of content so as to get users to click on the link in the search engine, but the user can't actually see the content because they'll be redirected away instead, the search engine shouldn't send users to the site, it's not like they can get at what they came to see anyway. That's what "bait and switch" is.
Google can obviously detect the practice, as Chrome is going to do so, so why not implement it as part of their search engine
Re: (Score:2)
That's not the issue, and the main point is this: If it's not in the iframe, then it's the sites own fault rather than a rogue advertiser.
Rogue redirects don't necessarily happen right on page load - and iframes could be advertisers that are different on every single page load. This could be triggered at any point via JavaScript. I don't know if Google runs a full JavaScript engine on their indexing spider, but it's asking an awful lot to expect that. While the browser actually always runs the code and c
Re: (Score:2)
Redirect all you want. But if all the content that brought the search engine there is hidden by said re-direct, the search engine should stop sending people there (as they can't see what they came to see). Alternatively if all the content is after the redirect, that's the page the search engine should take people to, not the first page that does nothing but redirect the user.
Having the search engine look for this would eliminate the bs spamvertising sites without affecting a single legitimate use.
Nope, bad idea. (Score:2)
This is how websites know when you leave. It takes more cpu power to figure out from logs when you left, with no clue where to or via what link, than if they use an "exit server." I read Fark every day. All their links are to Fark Redirects. I am happy to let them know which links I followed to leave their site. No cpu eating javascript needed on my side; nice, clean standard html tells them what links are worthy of my attention.
Bait and switch as described in the upcoming "fix" where
Re: (Score:1)
It sounds to me more like chrome will be blocking redirects that occur via javascript (ie. the "3rd party content" they talk about). So this shouldn't affect the HTTP header redirects that are produced by the originating server (which is how most exit link redirects are implemented).
Re: (Score:2)
Probably if google would stop pioneering such malicious techniques, other websites would not consider them so acceptable.
Too bad. (Score:2)
When I first saw the headline, I read 'Chrome' but thought 'Google' and my thought was "Oh great, Google is going to start penalizing sites where you do a Google search but the page does not contain the text that was shown in the Google result."
As for the issue actually being discussed, I've never even seen that happen.
Re: (Score:1)
Re: (Score:1)
As for the issue actually being discussed, I've never even seen that happen.
Hey guys, this guy doesn't watch porn. Get him!
Re: (Score:2)
As for the issue actually being discussed, I've never even seen that happen.
I had it on my phone a few times, where I'd follow a link, see it for a second, and then get shuttled off to an advertising page. Usually with no back button functionality. I got it to stop by installing an ad blocker. I haven't seen it on my laptop, but I'm always running an ad blocker there, so that's probably why.
Oh look, msmash copies and pastes juveline vocab (Score:2)
use Ghostery if you prefer Firefox (Score:2)
The Ghostery add-on has been doing this for a long time.
In fact redirects happen most often for me in Google search results.
Click on an ad and Google re-routs the resulting links so that they get credit for their ad.
I'd guess that Chrome will NOT block that kind of bait and switch.
But Ghostery pops up a little window that says:
"Ghostery prevented a redirect from ...
www.google.com to www.googleadservices.com,
which is part of Google Adsense. "
Re: (Score:2)
Firefox has done that for as long as I can remember (Options->Advanced->Warn me when pages redirect).
But then I stopped updating FF when they started fucking it up, so maybe that's gone now.
Can't find the option now, and I've never set it, but FF .. whatever the latest version is right now.. 56.0.2.. it warned me the other day about a re-direct. Default behavior.
Re: (Score:2)
What about a redirect within a web site? If "page.html" moves to "Bozo-The-Clown.html" on the same web site, and "page.html" gets edited to redirect you, should there be any blocking?
What sites would that be? (Score:2)
Chrome 65, due a few weeks later, will squelch another unwelcome action that can happen when you click a link and the website opens in a new tab while switching the existing tab to a page you didn't request.
Somebody's been viewing porn.
How about an absolute popup block? (Score:3)
How about Chrome implement an absolute popup block, or at least a notification before opening one.
Even to this day, with the "block popups" option ticked, there are sites that do a trick to launch additional windows.
Re: (Score:2)
Exactly! It's like, decades pass and all "popup blockers" still do is watch for popups and try to quickly close them again. Why in hell can not a browser's code, specifically that which creates a new window and fills it with the specified contents, be flatly disabled? It's such a specific action. Hell, why not compile a browser which simply cannot open new windows? Fuxing simple!
require HTTPS for ads! (Score:1)
How does Chrome know... (Score:2)
Slashdot served ads like this a few months ago (Score:2)
A few months ago, Slashdot had ads that were intermittently doing this. Web site operators need to ditch ad companies that do this stuff.
How about a Chome plug-in that detects sites that do this, and begins an automatic DDOS against the site? Everyone installing the plug-in would become a participant.