Gears & Gadgets

Google Chrome wants to stop back-button hijacking

Google Chrome wants to stop back-button hijacking
Google

Have you ever been to a website where the back button just doesn’t work? In these instances, you press “back” to go back but instead you just end up at the same page where you started. A new commit on the Chromium source (first spotted by 9to5Google) outlines a plan to stop weird website schemes like this, with a lockdown on “history manipulation” by websites. The commit reads: “Entries that are added to the back/forward list without the user’s intention are marked to be skipped on subsequent back button invocations.”

The back button moves backward through your Web history, and, along with the close button, it’s one of the most common ways of leaving a website. This is very bad if you’re a shady website designer, and sites have tried to mess with the back button by adding extra entries to your Web history. It’s not hard to do this with a redirect—imagine loading example1.com from a search result, which instantly redirects you to example2.com. Both pages would get stored in your history, so pressing “back” from example2.com would send you to example1.com, which would redirect you again and add more troublesome history entries. This doesn’t make it impossible to leave (quickly hitting the back button twice might work), but it does make it harder to leave, which is the end goal.

To stop this kind of history manipulation, bad history entries will soon get a “skippable” flag, which means the back button will ignore them when it navigates through the history order. One commit says Google still needs to come up with some kind of “pruning logic” to declare a website as skippable, but that could probably be done with something like a timestamp. You spent zero seconds on that redirect page, so that’s probably not a good history entry.

This feature has been tossed around as a Chromium bug report for two years, but, with commits actively happening now, we might see it pop up in a nightly Chrome Canary release soon.

Let’s block ads! (Why?)

Tech – Ars Technica

Leave a Reply

Your email address will not be published. Required fields are marked *