Fix on the way for Google Chrome flaw allowing malicious websites to break back button

Google Chrome users have complained for years about how the browser handles history, allowing malicious websites to inhibit back button usage.

How to read web pages offline in Android's Google Chrome Jack Wallen shows you how to save a webpage for offline reading in Android.

After nearly three years of user complaints, Google is finally fixing a small flaw in their Chrome browser that allows somewhat malicious websites to make it hard or impossible to return to a previous page using the back button.

Google identified the annoying issue in 2016, but fixing the issue has been very difficult.

SEE: The Dark Web: A guide for business professionals (free PDF) (TechRepublic)

"Typically, the History get stuffed with multiple dummy entries that fast-forward the user back to the page they wanted to leave. Getting back to the desired history entry is extremely hard because of the instant fast-fowarding nature of the dummy history entries, the user can't wait for a visual confirmation to know when to stop hitting the back button," a member of the Chrome team wrote on GitHub in June 2016.

"As a result, the user either overshoot or undershoot its destination resulting in guaranteed frustration. On the Chrome team, we believe that this could be fixed by changing the rules for how an entry gets added to the back/forward history. In particular, we think that entries that didn't have any user gesture should not be allowed."

Google said some websites use redirects or manipulate a user's browser history to make it nearly impossible to get back to your original page.

"The new behavior of the browser's back button will be to skip over pages that added history entries or redirected the user without ever getting a user gesture. Note that the intervention only impacts the browser back/forward button UI and not the history.back/forward APIs," Chrome software engineer Shivani Sharma wrote in a PSA on Tuesday.

"Developers should be aware that if they want the browser's back button to land on a page that redirected after loading, then that page should have had a user gesture before redirecting. Developers should also be aware that if a history entry is added but there is no user gesture by the time the user hits back, the page adding the history entry will be skipped and the popstate event will not fire."

Sharma explained that Chrome will now basically skip any page that redirects users. So if a user was on a.com and clicked on b.com, only to be redirected to c.com, their user history would skip b.com entirely and allow you to go straight back from c.com to a.com.

She added that the fix will work on Windows, Mac, Linux, Chrome OS, Android, and Android WebView. The issue and the fix Google came up with are explained in further detail on a website dedicated to bugs within Chrome.

Also see

20170209-google-chrome-logo-4sts-09.jpg
Image: Stephen Shankland/CNET

By Jonathan Greig

Jonathan Greig is a freelance journalist based in New York City. He recently returned to the United States after reporting from South Africa, Jordan, and Cambodia since 2013.