Google Working on Blocking Back Button Hijacking in Chrome (zdnet.com) 152
Google engineers are currently working on a Chrome browser update that will block malicious websites from hijacking the browser's history and, indirectly, the Back button. From a report: The issue at hand is a well-known tactic often seen employed by many shady sites across the Internet. A user would visit a website, then he'd accidentally click or tap on an ad, and be taken to a new page. But when the user presses the Back button to go back to the previous page, the browser just reloads the same page over and over again, keeping the user trapped on the ad page. [...] Recent source code updates to the Chromium project, the open-source browser engine behind the Chrome browser, reveal that Google engineers are planning to crack down on this type of abusive behavior. These code updates will allow Chrome to detect when browser history entries have been generated by user interaction, or by an automated method.
Thank God (Score:1)
But I'm sure there will be some of this
https://xkcd.com/1172/
Re: (Score:2)
Easy (Score:1, Informative)
Store date and url.
Remove all urls displayed less than 3s.
Re: Easy (Score:2)
The mobile chrome browser does not have a back button. You can use the back button at the bottom of the screen, but holding that one either does nothing, or (on some roms) it kills the current foreground app.
Not sure whether the feature is entirely new (Score:1)
I remember that in a few shadier sites I used in the past for watching movies, the redirects did not go into the history, I had to monitor DNS when I was trying to blacklisting them, however they changed them every day, and then I resorted to whitelisting.
Maybe some shadier sites found out strategies to get around it, but then the newspiece is not entirely clear on that feature not being entirely new.
Re: (Score:1, Flamebait)
Hitting the back button in the browser takes you to the previous site in the history. If the redirects from your shady site weren't going into the history, hitting the back button would go to what was in your history, not a redirect page that would keep you trapped on the site.
Here's tip: When you're trying to sound super intelligent, make sure that you haven't gotten the logic in your post ass-backwards.
Re: (Score:2)
Shady sites get opened in their own tab. Or window. And then get closed when I'm tired of fighting with them.
Re: (Score:2)
I don't like to do it. (Score:1)
Disclaimer: Web developer here.
Whenever I need to fix a broken or out of control sequence on a bloated POS website, catching the Backbutton is one of the quick and dirty hacks that sort of solve the problem. It doesn't feel right though.
PWAs are borderline, IMHO, because they interfere with the network and Adress bar. However there seems to be sort of a standard on how to do it and you can expect a good site to follow suit. Service Worker is to cool a concept to leave out, it's a good hack that makes the we
Re: (Score:2)
Website = One platform. All users are always up-to-date.
Application = A minimum of five platforms: Windows, Mac, Linux, iOS, Android. All users need to update the application themselves.
Guess which one is cheaper to develop for? And before you say "cross-platform compiler", remember that these make crap UIs for each platform.
Re: (Score:2)
You're the one who visited the application website.
Re: I don't like to do it. (Score:2)
And the websites don't have a crappy UI?
Re: (Score:2)
Do you work for free? Your boss only allowed X hours to do the job. And your apps would need to be compatible with older devices no longer supported by the companies so what the fuck would you do?
Re: I don't like to do it. (Score:3)
Re: (Score:2)
But isn't the back button breaking web apps a good argument to allow it to go back to the previous page? Then your web app wouldn't have to worry about it.
the error of our ways: (Score:2)
The embrace of "use javascript to do whatever the fuck you want" has really come back to bite users. It makes people money, so it's not going anywhere until someone gets fed up with all the cat and mouse games and makes a legit system that doesn't rely on it.
Re: (Score:2)
The embrace of "use javascript to do whatever the fuck you want" has really come back to bite users. It makes people money, so it's not going anywhere until someone gets fed up with all the cat and mouse games and makes a legit system that doesn't rely on it.
Which would either be:
Full page refreshes for every action:
Sites are free to do this now (even you or any of the armchair developers in here could build a site doing this!), but they probably wouldn't because users are used to instant response in their actions
Use some other language:
Which would then evolve to be able to do the same things as JavaScript anyway.
Re: (Score:3)
I'm perfectly happy with web sites that do nothing until I click on a link. Everything I've seen that relies on JS tricks is just bad UX and we're better off without it. From the evidence before me, JS is used entirely to make the UX suck.
But, still, the average Web UX is vastly better than the average mobile app UX, so it's go that going for it. Sadly, mobile app UX brain damage is starting to leak into web design, so all hope will eventually be lost.
Re: (Score:1)
I'm perfectly happy with web sites that do nothing until I click on a link. Everything I've seen that relies on JS tricks is just bad UX and we're better off without it. From the evidence before me, JS is used entirely to make the UX suck.
But, still, the average Web UX is vastly better than the average mobile app UX, so it's go that going for it. Sadly, mobile app UX brain damage is starting to leak into web design, so all hope will eventually be lost.
Meh, I don't have a problem with, say, Slashdot's UX, where comments aren't loaded until you click on them (except for the first few lines, and any comments that meet the threshold for inlining). That sort of JS UX is fine with me.
Re: (Score:2)
I hate it. Thankfully, there's still the classic UI.
Re: (Score:2)
Which would either be:
Full page refreshes for every action:
Use some other language:
Only two options and nothing else? [imgur.com] hmm...
Re: (Score:2)
Re: (Score:2)
There are so many options.
* expand HTML/CSS so that javascript isn't needed
** "onVisible" which loads contents into a div from a provided URL
** expand CSS to have (non-chainable) animation events that can be activated by "onClick"/"onHover"/etc...
* restrict javascript's communication/loading/computational capability
** only allow a single domain to load javascript from
** limit javascript to being able to interact a specified (in the html document) list of domains
** remove lots of the "features" that enable b
Re: (Score:2)
* expand HTML/CSS so that javascript isn't needed ** "onVisible" which loads contents into a div from a provided URL ** expand CSS to have (non-chainable) animation events that can be activated by "onClick"/"onHover"/etc...
Not sure how much of that belongs in CSS, though that's really semantics. Even still, it falls under "use a different language that would evolve to do the same stuff anyway."
restrict javascript's communication/loading/computational capability ** only allow a single domain to load javascript from ** limit javascript to being able to interact a specified (in the html document) list of domains ** remove lots of the "features" that enable bullshit like this ** make javascript computation a resource which will halt after so instructions are executed
Sure, your web apps will need special whitelisting to work but nobody gives a shit.
Okay so something that is restricted in functionality by design? Sounds great [ampproject.org]
Re: (Score:2)
Not sure how much of that belongs in CSS, though that's really semantics. Even still, it falls under "use a different language that would evolve to do the same stuff anyway."
Incorrect. The purpose is that it would be limited to user interaction based animations, incapable of chaining events and thus no longer be Turing complete. Turing completeness is really what's enabling bad behavior. Remove the capability and remove the threat.
Okay so something that is restricted in functionality by design? Sounds great [ampproject.org]
AMP modifies pages and there is no mandate compliance. The idea is to stop bad behavior rather than just avoid it's consequences.
Re: (Score:2)
Re: (Score:2)
Not at all. I'm sure plenty of idiots will bemoan the loss of javascript games. Likewise people who build their business models on selling information will be upset.
The truth is that scripting isn't needed for building web pages but it sure is profitable.
Re: (Score:2)
Now who's using a dichotomy?
Re: (Score:2)
What I do (Score:2)
Re: (Score:2)
That's great... except of course you've now closed the page (that had the ad you accidentally clicked) you were trying to view, as well. So now you have to re-navigate to it.
Google's seems like a perfectly fine solution to an irritating problem that bites me occasionally.
Curious how they tell legitimate from illegitimate (Score:3)
I'm curious if they are going to discriminate between legitimate and illegitimate forms of updating the browse history. On some of my single-page apps I change where the back-button takes them. Not to trap them, but to provide functionality. I wonder if this is going to be blocked for everyone, or just the people who set up an infinite loop of back buttons leading to the same page.
Re: (Score:1)
On some of my single-page apps I change where the back-button takes them.
Since the first time I loaded up Mosaic, I have expected the back button to take me back. Not sideways.
Re: Curious how they tell legitimate from illegiti (Score:4, Interesting)
That's fine when every click loads a new page, but If a click simply loads new content into the same page, it makes sense to tweak the history in those cases to make the back button work as expected.
Re: (Score:2)
^ This.
If all I need to do is send a XHR request for a few to hundreds of KB to render what is required, why reload the page and all the dependencies and images (let's ignore caching for argument sake). Sure, the front-load of a few MB for the whole application is a few seconds, but the rest of your experience is immediate and responsive.
Don't you wait for Photoshop, Word, Outlook, whatever-game-you-play etc to finish loading before you start using it?
This idea works well for pages where I will be visiting
Re: Curious how they tell legitimate from illegiti (Score:4, Interesting)
And then in that case, you take control of the back button so it doesn't break the experience.
No, in that case you provide a clearly marked Back button or link as part of YOUR interface. If necessary, you add a brief explanation as to why YOUR back button is better in the current context than the browser's Back button. Don't be messing with MY interface - Home, Forward, Back, and Stop buttons. When you screw with those, you've 'broken the experience' by definition, you've created non-standard behaviour, and you've pissed me off to the extent that your site is on my shitlist and I won't be visiting it again.
Re: (Score:2)
The standard behavior is to let websites screw around with the browser's history. If it's done properly it's practically invisible - sure if you're watching for it you'll see the manipulation going on, but to most users the browser's back button does actually do what they expect it too and they are completely oblivious as to what actually happened and the technical details of how the website really works. However, like a lot of things on the web that were created to make things more user-friendly, this ca
Re: Curious how they tell legitimate from illegit (Score:2)
Or those who aren't web developers don't know the internals well enough to make an informed opinion.
Re: (Score:1)
Or those who aren't web developers don't know the internals well enough to make an informed opinion.
Car analogy here. If automakers suddenly swapped the brake and the gas, or made the power switch on your radio change the station instead, (but only sometimes), 'because internals' - would you just accept that, or would you tell them to sod off and restore them to the behaviour you've come to expect? I use the Web a lot - I'm technical, but I don't 'know the internals' of the Web or of browsers. I don't need to, because I've used them for long enough that I know the conventions and understand the behaviour.
Re: Curious how they tell legitimate from illegit (Score:3)
The reality is you are probably experiencing this history rewriting on tons of sites without even realizing it, but you don't have a problem with it because it works "as expected".
Re: (Score:2)
but If a click simply loads new content into the same page
Then you should make it clear to the user that the context of your page has a different interface than the standard one they expect, and not change the defined behaviour of an existing system which has a different functionality.
Re: (Score:3, Interesting)
Since the first time I loaded up Mosaic, I have expected the back button to take me back. Not sideways.
If you're using AJAX within a webpage though, sometimes you expect the back button to take you to what you were previously viewing NOT make you leave the site altogether. If a single page is dynamically updating content based upon what you click on, you probably want script manipulation of the back button.
Example, I have a table of widgets- I click on a widget and it loads details (you haven't changed website or been forwarded to a new address)... if you click the back button you probably want it to return
Re: (Score:3, Insightful)
I can see what you're getting at. In some cases, when a user navigates through a web page that is built and displayed dynamically through javascript without reloading its parent page, a user might expect that hitting "back" would take them to the previous frame of whatever content they last navigated through. They could become annoyed when "back" actually takes them wherever they were before arriving at the site initially and losing all their progress.
But I don't agree that selectively modifying "back" bu
Re:Curious how they tell legitimate from illegitim (Score:4, Interesting)
I also understand that the browser allows you to modify how things like the back button work. I just personally wouldn't build important functionality in my site around something the browser normally controls, and wouldn't be terribly surprised if it stopped working the way I'd originally intended after a browser update.
Well, the answer is you don't build important functionality into the back-button, you give other options and try to get the user to use those other options for navigating; HOWEVER, you can't control a user and can't prevent them clicking the back-button if they really want to (all you can do is try to handle it gracefully if they do). In an ideal world the end-user wouldn't use the back button from navigating in a web-application; but you can't easily prevent them.
Re: (Score:1)
In an ideal world the end-user wouldn't use the back button from navigating in a web-application; but you can't easily prevent them.
Sure you can - just not the first time. Put your own nav buttons in your UI, and warn about using the browser's Back button. If they hit the latter and lose a half-hour's worth of whatever they're doing, then the next time they'll heed the directions. Don't break my experience because some people won't follow instructions.
BTW, over the years I've experienced MANY warnings about not using the Back button, so it's not as though I just pulled the idea out of my ass.
Re: (Score:2)
BTW, over the years I've experienced MANY warnings about not using the Back button, so it's not as though I just pulled the idea out of my ass.
Yeah... and it doesn't work. People still click the back button.
Re: Curious how they tell legitimate from illegiti (Score:2)
Most likely, they will track the source of the history update and ignore it if isn't a click. Additionally, they will likely squash multiple history updates from a single click into one.
Re: (Score:2)
Yeah, that seems like the most reasonable approach. You only get one per click (or kb enter outside a textbox)
Re: (Score:3)
If you came from a different domain name, then the back button has probably been hijacked.
Also, all they have to do is add a property to the history log: user click vs script modification.
Re: (Score:3, Insightful)
They usually flood the navigation history with many bogus entries, so you'd have to click Back a hundred times to actually go back. That would be easy to detect.
If they are more intelligent and just use a single bogus history entry, and when it is navigated to always create another, well that is easy to detect too.
Another way to solve this is to only allow as many navigation history events to be added as there are user interactions. So if the user doesn't interact at all, no navigation history events can be
Re:Curious how they tell legitimate from illegitim (Score:5, Interesting)
This isn't talkong about an Angular app with routing that uses back properly. It is talking about automatic redirects like HTTP 301 or meta refresh tags. For those the sokution is easy, Firefox has done this for years. If you hit back, and the page then auto-redirects you immediately, ignore the redirect. The user then just has to hit back a few times, but at least they aren't stuck. Even better would be if hitting back went back to the most recent page that did not have an automatic redirect in it.
Re: (Score:2)
Sorry, I was typing it on my phone, LOL!
With Firefox, hold down the back button (well, on the desktop versions) and it displays a history of pages. So you can go back two pages, or 3, or more with one click. That helps to get around the nasty ones.
Slashdot does this too when accessing the site from Chrome on Android. Clicking the number of comments on a story attempts to open multiple popups, then directs you to sites full of redirects. The real problem is web site operators allowing advertising compani
Re: (Score:2)
Not to trap them, but to provide functionality.
Nope. You've broken the concept of the back button as well as the usability guidelines for some operating systems. If you want to provide functionality you should do it via the appropriate means. Changing the defined functionality of something is not appropriate.
It's not just shady web sites (Score:3, Interesting)
I have encountered several fairly well-known news sites that fool with the back button, making it difficult to back up past their home page.
Even more than this, I would love to see the browser people find a way to absolutely, positively block auto-play videos. The one at the top of a news story is irritating, but when you scroll past it and a little clone of the window pops up in the right margin and starts playing it really gets on my nerves.
Re: (Score:3)
Under Chrome/Centbrowser there is an extension called "AutoplayStopper" I have tested out and it works 100% of the time. Also "flash control" to catch flash stuff.
Slowly we are catching up to the year 2013 (Score:3)
Presto Opera (e.g. =12.x) had this feature years ago. Glad that we are slowly catching up to Opera's feature set...
Re: (Score:2)
Presto Opera (e.g. =12.x) had this feature years ago. Glad that we are slowly catching up to Opera's feature set...
Opera seriously was the best browser ever.
It was a crying shame when they decided to become a Chrome skin.
Re: (Score:2)
I started using Opera after giving up on Netscape 4.0 and stuck with Opera 12 until sometime in 2015 when sadly it became pretty obvious that Presto-based Opera was past it's sell-by date and was truly dead. Actually one of the pain points with Opera 12 towards the end was just how bad slashcode starting making the browser choke.
Not liking Chrome and not particularly excited with Firefox I started looking for alternatives. I initially dismissed the Chromium-based Opera, but after doing some research it se
Advertisers would use force (Score:1)
If they could get away with it. They'd make you listen to their "copy" and buy whatever it is they are selling. And they'd have no moral objection to it.
No more Free iPads and Walmart gift cards?!?! (Score:2)
Users accidentally tap/click an ad? Sorry to report but some ads hijack the website and auto-redirect to these scam ads. Then I'm stuck with a popup "you've won a free XYZ" and the back-button doesn't work. And the only way out is to close the tab.
Re: (Score:1)
Accidentally? There are sites that do the redirect without having to click on anything.
This still happens? (Score:2)
But it might break many sites (Score:2)
Re: (Score:2)