Comment

Comment on Websites that hijack your back button must stop by June 15 or face Google's wrath

If you develop some feature (or bug!) of course some people will find a decent way to use it. That doesn’t mean the feature should be there on first place, specially when the possibility of abuse is so obvious. Plus if the pressure behind this anti-feature was “only” single page applications, and nothing else, I bet it would be implemented in a different way.

Also, look at the big picture. In isolation, one could argue giving pages access to your browsing history was a necessary albeit poorly thought feature; but when you look at other stuff browsers nowadays are supposed to do, you notice a pattern:

Browsers giving more info to the page about your system than just “I’m a browser, I can browse pages”: the browser software, its version, the operating system, the fonts you have installed, your screen dimensions…
Letting pages decide the behaviour of mouse clicks. And if the window is focused or not.
The ability to show pop-up messages.
etc.

Are you noticing the pattern? Those “features” are somewhat useful, with obvious room for abuse, and that abuse is usually from people who want your money.

Worse: all of them crammed into what was supposed to be a system to show you content, but eventually got bloated into a development platform, transforming browsers into those bloody abominations of nowadays, with a huge barrier of entry, dominated by a single vendor (and where the vassal of said vendor got ~3% market share). I’d say that not having a monopoly is more important than all those features together.

source

Sort:hotnew top

pivot_root@lemmy.world ⁨5⁩ ⁨hours⁩ ago
I think you are misunderstanding what is possible with the history API.

Pages can’t read your navigation history.
Pages can’t manipulate history prior to their loading.

The original history API is a careless mistake. It can:

Tell the browser to navigate forward n entries.

Tell the browser to navigate backward n entries.

See the length of the history stack.

Seeing the length is a privacy problem. Allowing arbitrary forward navigation is a usability problem that’s ripe for abuse. Allowing back navigation to be more than a single page is a usability problem.

The newer pushState and replaceState APIs are fine. As their names imply, they push a new URL or replace the current URL in the navigation stack. The URLs are also subject to same-origin constraints, so you can’t just replace the current page with an entirely different domain.

Using a replaceState followed by pushState to insert a dummy marker that runs history.go(1) when the popState event is fired allows pages to prevent users from navigating away from the website. That’s shitty and abusive, yes.

Do you know what else can do that, though?

if (window.location.hash != "no_redirect") setTimeout(() => { window.location.hash = "no_redirect"; }, 1000)

Or

<?php if ($_GET["no_redirect"] != "1") echo '<meta http-equiv="refresh" content="1; url=?no_redirect=1 />'; ?>

Back button hijacking is an infuriating problem, but it’s not a new one exclusive to SPAs. This fuckery has existed for a long time.
source