Discussion
Introducing a new spam policy for "back button hijacking"
musicale: The iron law of web encrapification: every web feature will (if possible) be employed to abuse the user, usually to push advertising.
al_borland: Some Microsoft sites have been very guilty of this. They are the ones that stick in my head in recent memory.
lamasery: IIRC the Azure “portal” does this. Also likes to not record things as navigation events that really feel like they should be. Hitting back on that thing is like hitting the back button on Android, it’s the “I feel lucky” button. Anything could happen.
tgsovlerkhgsel: Now do paywalls next.
synack: Are they considering all uses of window.history.pushState to be hijacking? If so, why not remove that function from Chrome?
542458: Are they? This seems about deceptive or malicious content (i.e., redirecting to ads) rather than “something in my history triggers a JS redirect”. I’ve definitely experienced the latter with MS, but never the former.
chongli: It really comes down to JavaScript. The web was fine when sites were static HTML, images, and forms with server-side rendering (allowing for forums and blogs).
sixothree: Epic store makes it impossible to navigate backwards from the checkout on mobile at least. Not sure if it's design or just poor design.
bschwindHN: Cool, now maybe let's do something about all the shit I have to clear out out my face before I can read a simple web page. For example, on this very article I had to click "No thanks" for cookies and then "No thanks" for a survey or something. And then there was an ad at the top for some app that I also closed.It's like walking into some room and having to swat away a bunch of cobwebs before doing whatever it is you want to do (read some text, basically).
endgame: I cannot even reliably press [Space] any more to page down through sites that are meant to be all about content!
surround: It seems like Google's policy is unconcerned with the intent of the practice. If a website JS redirect ruins the user experience by breaking the back button, it will be demoted in search results. It doesn't matter whether or not the redirect was meant to be deceptive or malicious, websites shouldn't be ruining the user experience.
pwg: With uBlockOrigin set to default deny all the javascript on the page there are:zero cookie bannerszero surveys popping upzero ads to be closedJust the text of the page with no other distractions in the way.
AuthAuth: It wasnt "fine".
charcircuit: Google should actually fix this from the browser side instead of trying to seriously punish potentially buggy sites.
tgsovlerkhgsel: Because clicking on a navigation button in a web app is a good reason to window.history.pushState a state that will return the user to the place where they were when they clicked the button.Clicking the dismiss button on the cookie banner is not a reason to push a state that will show the user a screen full of ads when they try to leave. (Mentioning the cookie banner because AFAIK Chrome requires a "user gesture" before pushState works normally, https://groups.google.com/a/chromium.org/g/blink-dev/c/T8d4_...)
internet101010: Don't forget the useless "Got it!" popups, especially when the site blurs the screen to guide you to it.
omcnoe: No, only if your website abuses window.history.pushState to redirect the user to spam/ad content is it considered abuse.
twism: Reddit! I'm looking at you?
CableNinja: Frustrating it took this long for something to be done about this, but glad its now got something being done.
throwaway81523: > When a user clicks the "back" button in the browser, they have a clear expectation: they want to return to the previous page. Back button hijacking breaks this fundamental expectation.It seems pretty stupid. Instead of expanding the SEO policy bureaucracy to address a situation where a spammer hijacks the back button, the browser should have been designed in the first place to never allow that hijacking to happen. Second best approach is modify it now. While they're at it, they should also make it impossible to hijack the mode one.... oh yes, Google itself does that.
mlmonkey: But the question is: why are sites allowed to hijack the Back Button?!?
SuperNinKenDo: Happened to me yesterday through a link off here. I was already expecting it given the domain, but usually mashing back fast enough does the trick eventually. Not this time. Had to kill the tab.
93po: ublock origin with annoyance filters on solves 95% of this
pottertheotter: Did you use the web back in 1995? It was fun, but it also sucked compared to what we have now. Nothing is ever perfect, but I wouldn’t want to go back.
ryandrake: I’d go back in a heartbeat. Making the web a software SDK was the worst thing to happen to it.
collabs: You talk about 1995 but I wouldn't even go back to 1999. Dialup was so painful. It advertised 56 know but in practice I never even say 48...
not_your_vase: Haha, we had a solution for that, called pop-up blockers. Then when they became very usable, everyone switched to overlays injected with javascript, so they became unblockable.But thinking of this at this moment, this could be a good use for a locally ran LLM, to get rid of all this crap dynamically. I wonder why Firefox didn't use this as a usecase when they bolted AI on top of Firefox. Maybe it is time for me to check what api FF has for this
atoav: [delayed]
yjftsjthsd-h: That seems like a separate thing. You can send 199x-era HTML over a gigabit connection.
domenicd: We tried a few times. We got as far as gating the ability to push into the "real history stack" [1] behind a user activation (e.g. click). But, it's easy to get the user to click somewhere: just throw up a cookie banner or an "expand to see full article" or similar.We weren't really able to figure out any technical solution beyond this. It would rely on some sort of classification of clicks as leading to "real" same-document navigations or not.This can be done reasonably well as long as you're in a cooperative relationship with the website. For example, if you're trying to classify whether a click should emit single-page navigation performance entries for web performance measurement. (See [2].) In such a case, if the browser can get to (say) 99% accuracy by default with good heuristics and provide site owners with guidance on how to annotate or tweak their code for the remaining 1%, you're in good shape.But if you're in an adversarial relationship with the website, i.e. it's some malicious spammer trying to hijack the back button, then the malicious site will just always go down the 1% path that slips through the browser's heuristics. And you can try playing whack-a-mole with certain code patterns, but it just never ends, and isn't a great use of engineering resources, and is likely to start degrading the experience of well-behaved sites by accident.So, policy-based solutions make sense to me here.[1]: "real history stack": by this I mean the user-visible one that is traversed by the browser's back button UI. This is distinct from the programmer-visible one in `navigation.entries()`, traversed by `navigation.back()` or `history.back()`. The browser's back button is explicitly allowed to skip over programmer-visible entries. https://html.spec.whatwg.org/multipage/speculative-loading.h...[2]: https://developer.chrome.com/docs/web-platform/soft-navigati...
josephcsible: What does this have to do with sites being buggy? This change is about obvious intentional abuse.
josephcsible: So that in single-page applications, it can work intuitively instead of always taking you all the way out of the app.
Terr_: I'm waiting for someone to develop an augmented-reality system that detects branded ads or products, compares them against a corporate-ownership database, applies policies chosen by the user, and then adds warning-stripes or censor-bars over things the user has selected against.It would finally put some teeth behind the myth of the informed consumer, and there would be gloriously absurd court-battles from corporations. ("If they don't like what we're doing they can vote with their wallets... NOT LIKE THAT!")
filcuk: Because it has a legitimate use. As anything, the tools will be abused by malicious actors
SuperNinKenDo: Honestly if your site is buggy in a way that effectively breaks the browser, maybe you should be punished.
spankalee: What about all the very legitimate uses of programmatically adding history entries?
carlosjobim: Your problems have been solved for more than a decade. Set your browser to open pages in reader view by default and you don't have these issues.You are a decade behind in your life. Why didn't you look for a solution to your problems, does it feel better to complain?
kiddico: I've always found that behavior baffling so it's interesting to hear someone using it as intended instead of being frustrated by it.
Tepix: In most browsers you can hold the back button for a second and it will let you skip back more than one step.
not2b: If the navigation simulates what would happen if we follow links to SPA#pos1, SPA#pos2, etc so that if I do two clicks within the SPA, and then hit Back three times I'm back to whatever link I followed to get to the SPA, I guess it's OK and follows user expectations. But if it is used as an excuse to trap the user in the SPA unless they kill the tab, not OK.
rc_kas: I feel like facebook is the worst culprit with this
transcriptase: >We believe that the user experience comes firstI’ll believe that when YouTube gives me the ability to block certain channels versus “not interested” and “don’t recommend channel” buttons that do absolutely nothing close to what I want.Or a thousand other things, but that one in particular has been top of mind recently.
itopaloglu83: Scroll on Reddit on mobile and click on a link. The comments open in a new tab. Close the tab and the previous tab is also at the link you’ve just closed.Makes it impossible to browse around and long click to open on a new tab doesn’t solve the issue either.
wmf: You're not wrong but we've never really tried the combination of modern CSS with no JS. It could produce elegant designs that load really fast... or ad-filled slop but declarative.
ladberg: How would you recommend that creators of valuable content get paid?
renewiltord: Ideally, when I create valuable content I am paid and when I consume valuable content I don't pay. Advertising does this but I hate it so I don't want that. So ideally, there is no way to extract value from me but I am able to extract value from others. I think I would support someone who finds a way to enforce this.But I am also willing to pay for valuable content an exorbitant amount if it is valuable enough. For instance, for absolutely critical information I might pay 0.79€ a month.
andreareina: > Notably, some instances of back button hijacking may originate from the site's ... advertising platformI feel like anything loaded from a third party domain shouldn't be allowed to fiddle with the history stack.
jack1243star: Please explain the legitimate uses. Not once I have ever encountered a website that does something useful by modifying the behavior of my browsing history.
arjie: Gemini websites are pretty much the old web: https://en.wikipedia.org/wiki/Gemini_(protocol)Both in terms of comprehensiveness and in terms of functionality.
incognito124: Now, if they only declared scroll hijacking as spam...
Kab1r: And some websites consume the entire history that a browser displays in that menu
themafia: > Did you use the web back in 1995?I'm still not over the loss of Gopher.
dataflow: > It seems like Google's policy is unconcerned with the intent of the practice.I'm reading the opposite: "If you're currently using any script or technique that inserts or replaces deceptive or manipulative pages into a user's browser history that [...]"
mock-possum: Of course, but programmatically, how do you enforce that?
bonesss: I published my first website in 1995 (and while it wasn’t even a little popular, eventually a spammy gay porn site popped up with the exact same joke name, leading to a pretty odd early “what if you search for your own site” experience).If you put 2026 media players (with modern bandwidth), on the manually curated small-editorial web of ‘95 it’d be amazing.We used to have desktop apps, these SPA JS monstrosities are the result of MS missing the web then MS missing mobile. Instead of a desktop monopoly where ActiveX could pop up (providing better app experiences in many cases than one would think), we have cross-platform electron monstrosities and fat react apps that suck, are slow, and omfgbbq do they break. And suck. And eat up resources. Copy and paste breaks, scrolling breaks, nav gets hijacked, dark mode overridden.Netflix, Spotify, MS have apps I see breaking on the regular on prime mainstream hardware. My modern gaming windows laptop, extra juicy GPU for all the LLM and local kubernetes admin, chokes on windows rendering. Windows isn’t just regressing, their entire stack is actively rotting, and all behind fancy web buttons.Old man yelling at cloud, but: geeeez boys, I want to go back.
bot403: I recommend 14 days in jail for the site owner, and, if egregarious, the engineer as well.Not life ruining but just enough to be annoying. Just like their website.
dnnddidiej: Easy fix:JS doesn't let you change back button behaviour.Q. But what about SPA?A. Draw your own app-level back button top left of page.Another solution: make it a permisson.
turtleyacht: One more for the spacebar to advance the page. Have never encountered a broken site (so far). Fingers crossed.
psidium: Ironically, we have an infringing website right now on the front-page of HN (nypost).
themafia: The back button itself feels overloaded. There's "go to previous state" and then there's "go to previous origin." In an ideal world when I doubleclick on the back button what I mean is: "get me off of this site, now."
bot403: Or if they ever bring back the "ignore this domain" feature so we can ignore ai slop and copycat sites.It's why I went to Kagi.
JoshTriplett: Some browser APIs (such as playing video) are locked behind a user interaction. Do the same for the history API: make it so you can't add any items to history until the user clicks a link, and then you can only add one.That's not perfect, and it could still be abused, but it might prevent the most common abuses.EDIT: apparently Chrome tried that and it wasn't sufficient: https://news.ycombinator.com/item?id=47761349
hysan: Took long enough. Maybe I missed it, but I didn’t see them say how invested they are in tackling this. Promoting a rule is one thing, but everything SEO related becomes a cat and mouse game. I don’t have high confidence that this will work.
PhageGenerator: I think that is because some "pages" are really full screen modals. So the back button does take you back to the previous page, but it looks like you went back two pages (closes modal + goes back). I don't spend too much time in the Azure portal but this behavior is rampant in the Entra admin center.
PeterStuer: Let me permanently hide "shorts".
venussnatch: Any single page application, such as YouTube, Gmail, or discord.It lets persistent content (videos) or connections (chat) persist while emulating a pagenated browsing experience.When it's done right you don't notice it at all.
thoroughly review their technical implementation
sublinear: > Notably, some instances of back button hijacking may originate from the site's included libraries or advertising platform. We encourage site owners to thoroughly review their technical implementation...Hah. In my time working with marketing teams this is highly unlikely to happen. They're allergic to code.What they will probably do is change that vanity URL showing up on the SERP to point to a landing page that meets the requirements.In other words, the user must click twice now to find the page with the back button hijacking.This just sounds even more frustrating for the user to me. Contrary to popular belief, the user will put up with a lot of additional friction if they think they're going somewhere good. This is just an extra click. Most users probably won't even notice the change.
