If you’ve ever found the back button on your Chrome browser not working, Google will soon have a fix for you. Or more accurately, the developers behind the Chromium open source browser that underpins Chrome will soon have a fix for you.
Your Chrome back button sometimes fails because of sneaky behaviour by nuisance websites. These sites are the Roach Motels of the web: you can check in, but you can’t check out. Once you stumble into their dark corner of the internet and try to leave, they hijack your browser’s back button, blocking the exit.
They achieve their nefarious goals in two ways: using redirects or history manipulation.
Redirects are simple – on the way in you’re bounced through a redirect you don’t notice that sits in your browser history between the page you started on and the page you’re on now. When you hit the back button your browser goes back one URL in its history, which loads the redirect which bounces you forwards again.
History manipulation is sneakier. It sounds fun, like playing heavy metal for fifties high school kids in Back to the Future. Or going back to 1990 and putting all your money into Cisco shares (you’d be worth over $1.3m today on a $1000 initial investment). But no, nuisance websites ruin everything, including history.
Here’s how it works. Your browser keeps a stack of records showing which pages you’ve visited in the current window’s session. When you press the back button on your browser, it goes to the last page in that stack.
HTML5 allows a nuisance web page to hijack that process by adding entries to the session history using the pushState command. It can pile these dummy entries pointing to itself on top of the stack. The result? You either click madly on the back button to get back through the stack faster than the site can update it, or you just give up and close the window. Either way, it’s frustrating.
Participants in the Web Incubator Community Chapter (WICG) first identified this in 2016. WICG is a forum for discussing how to improve the web experience for users. In November, Chromium’s developers took up the mantle and pledged to fix the problem.
There’s a feature in the works that will stop pages from redirecting users or messing with the stack used for the back/forward button UI after the page has loaded, unless the user explicitly gives permission with a “user gesture”. According to this announcement:
The new behavior of the browser’s back button will be to skip over pages that added history entries or redirected the user without ever getting a user gesture.
Previously, if you were on site A and clicked a link to go to nuisance site B, site B could automatically use pushState to add itself to your history and keep doing it, meaning you’d never get back to site A. Now, if the user didn’t click on something to request it, the browser will ignore the entry. As soon as the user clicks the back button, they can return to site A.
That means clingy web sites will fail miserably as they try to gum up your back button. Google has also pledged to collect metrics on inappropriate history manipulation entries. Wouldn’t it be great if it used those to penalise nuisance sites in its mysterious search ranking algorithm?
Bryan
I’m evidently visiting the wrong “wrong” websites; I didn’t realize this is still a problem.
My habit since the days where META-REFRESH was a common way to inflict the same frustrating behavior:
When alt-LeftArrow fails I just click and hold the back button, choosing the page I wish to revert.
Anonymous
Yup, works with Firefox. What gets me is the logic here. You visit a site peddling some crap, you decide you’re not interested in that particular bit of crap and decide to leave, and the crap peddlers think the way to get your $$$ is to win your trust (and credit card #) by BLOCK YOU FROM LEAVING. The MORON SCUMBAG combo pack!
Quin
Why the hell do Websites have Access to any of these browser functions? Why does a site have access to my history?
This is craziness. The answer is more likely that money makes the world spin and these APIs are needed for tech to sell you more shit you don’t need.
Websites should be sandboxed, period.
Mark Stockley
I think the primary use case is to make your browser behave sensibly in an Ajax environment. Ajax allows for parts of a page to be updated without refreshing the entire page. It’s an essential technology for turning websites into interactive apps.
Imagine you log in to your web mail and spend 30 minutes doing stuff. You see your inbox, reorder the things in it, open a few emails, reply to some, forward others, delete others etc. You might do all of that in a single page (which means your history isn’t updated).
Imagine that at some point in your web mail session you find yourself looking at your inbox. You click on an email to open it. Then you decide you don’t want to read that email after all and want to return to your inbox. All of that happens without the page ever reloading but it _feels_ like the page is reloading. What do you think users will expect if they hit the back button? Will they expect to return to the last thing that felt like a page change – looking at the inbox – or will they expect to be taken to the last website they looked at 30 minutes ago?
Most won’t understand the difference and will simply expect the back button to take them back to the last page-like thing they saw – in this case the inbox. If, instead, they suddenly find themselves staring at the website they were looking at 30 minutes ago they will be confused and think something has gone badly wrong.
Developers can make the app behave the way users expect by adding fragment IDs to the browsing history.
Where features have been routinely abused for bad purposes with no upside (such as battery life status) Chrome and Firefox have shown themselves to be more than happy to remove the features or neuter them. In this case there is a useful purpose that most people are unaware of, as well as abuse.
If the browser makers solved this problem by removing the ability to edit the history entirely it would do more harm than good.
Magyver
Thanks for the killer explanation Mark, you’re the best!
Magyver
Mark, Danny, I don’t know if you guys still visit this page but others are – so I have a question about Shimani Shervana’s open source intervention on Chrome. He based his ‘software repair” on whether the user gives permission & called that process a “User Gesture”.
Can one of you please explain what a “User Gesture” is, lest we “grant” one by mistake?
Anonymous
Completely agree. And it’s not only nefarious sites. My health care provider’s site won’t let my browser (I repeat, MY browser) remember my login info. WHY does the browser let sites have that control over the preferences of the entity who should be the browser’s client, the USER?
Ulf Rosvall
Very good answer Mark! I didn’t realize that history manipulation was a part of my Gmail experiance but now I do, thanks.
David
I encounter this with some frequency running Firefox. Any cure for that browser? Hitting backspace rapidly works sometimes, but not always. Agree with Quin, WHY do sites have so much power over “my” browser? Similar issue with the recent FF add-ons fiasco. WHY is it EVEN POSSIBLE for FF to remotely “turn off” ANY ASPECT of “MY” browser, due to some “paperwork issue” I could not care less about? It’s clear; the user is merely a chicken in a coupe to these parasites, who see themselves as the farmer.
Obsidian Age
In Firefox (and indeed most browsers), you can click-and-hold the back button to see the full history. You can also simply right-click on the back button.
Bob
They disabled addons due to an expired certificate without it the browser cannot verify authenticity which can lead to all sorts of trouble.
codycote2
When I click a link, I almost always right-click and say “open in new tab”. That way the original page is still there and if I don’t like what I’ve just clicked on, I simply close that tab. Problem solved!
Bryan
@codycote2
Middle-click is a handy shortcut for open this link in a new tab.
Robert P
Absolutely stupid.
They need to make it so that when a site tries this crap it blocks you from going to it at all. An automatic permanent block for all users.
That’s how you fix the people screwing everyone over.
Bryan
Hi Robert.
You’re describing precisely how I felt when I first read the article. But check out Mark’s explanation for why allowing for some grey area makes sense.
pipa
The only reason why sites use this is because it works. The person enters the sales page and does not buy, but then you use the back redirect and take it to a page with a 5% discount and they buy. Simple like that.