Chrome Plans To Save You From Sites That Mess With Your Back Button
If you’ve ever found the back button on your Chrome browser not working, Google will soon have a fix for you. Or more accurately, the developers behind the Chromium open source browser that underpins Chrome will soon have a fix for you.
Your Chrome back button sometimes fails because of sneaky behavior by nuisance websites. These sites are the Roach Motels of the web: you can check in, but you can’t check out. Once you stumble into their dark corner of the internet and try to leave, they hijack your browser’s back button, blocking the exit.
They achieve their nefarious goals in two ways: using redirects or history manipulation.
Redirects are simple – on the way in you’re bounced through a redirect you don’t notice that sits in your browser history between the page you started on and the page you’re on now. When you hit the back button your browser goes back one URL in its history, which loads the redirect which bounces you forwards again.
History manipulation is sneakier. It sounds fun, like playing heavy metal for fifties high school kids in Back to the Future. Or going back to 1990 and putting all your money into Cisco shares (you’d be worth over $1.3m today on a $1000 initial investment). But no, nuisance websites ruin everything, including history.
Here’s how it works. Your browser keeps a stack of records showing which pages you’ve visited in the current window’s session. When you press the back button on your browser, it goes to the last page in that stack.
HTML5 allows a nuisance web page to hijack that process by adding entries to the session history using the pushState command. It can pile these dummy entries pointing to itself on top of the stack. The result? You either click madly on the back button to get back through the stack faster than the site can update it, or you just give up and close the window. Either way, it’s frustrating.
Participants in the Web Incubator Community Chapter (WICG) first identified this in 2016. WICG is a forum for discussing how to improve the web experience for users. In November, Chromium’s developers took up the mantle and pledged to fix the problem.
There’s a feature in the works that will stop pages from redirecting users or messing with the stack used for the back/forward button UI after the page has loaded, unless the user explicitly gives permission with a “user gesture”. According to this announcement:
The new behavior of the browser’s back button will be to skip over pages that added history entries or redirected the user without ever getting a user gesture.
Previously, if you were on site A and clicked a link to go to nuisance site B, site B could automatically use pushState to add itself to your history and keep doing it, meaning you’d never get back to site A. Now, if the user didn’t click on something to request it, the browser will ignore the entry. As soon as the user clicks the back button, they can return to site A.
That means clingy web sites will fail miserably as they try to gum up your back button. Google has also pledged to collect metrics on inappropriate history manipulation entries. Wouldn’t it be great if it used those to penalize nuisance sites in its mysterious search ranking algorithm?
Published with permission from NakedSecurity by Sophos