how do some websites prevent you from using the ‘back’ button to leave the page?


Often when I’m googling something I’ll go to a few pages, so I’ll click a link, and then use the back button to return to the search results and find another link. But sometimes the back button just reloads the page, and even tapping it multiple times doesn’t work. How and why do some websites do this? Surely it should be my browser that’s controlling if it goes back or not, rather than the website it’s on?

In: 197

The website can use a “filler” (not sure if there’s a term for it) page in between pages that automatically forwards to another page. Instead of going from Page A to B (the desired page), it goes from A to C (“filler” page), which executes a script to automatically redirect you to B. So when you try to back out from B, you hit C instead, which pushes you back to B.

Usually, if you hold down on the back button, it’ll bring up a list of previous pages in the sequence they were visited. You can usually see the redirect page in that list.

The common way used by sketchy websites is by using a bunch of redirects.

The page sits at the end of a super long chain of web pages, all of which just push you one down the chain. The back button only takes you back one page, so even if you click it a few times you’ll still end up on the page you want to leave because you’re just backing out into the chain.

There’s a command in HTML called `refresh` which allows a webdev to write a page in such a way as your browser reloads the page every 30 seconds, or every minute, or whatever amount of time they choose.

Here’s an example snippet of code which would just refresh the page every 30 seconds:

<meta http-equiv=”refresh” content=”30″>

The refresh command can *also* be used to re*direct* your browser to another address.

Here’s an example snippet of refresh code, which would redirect your browser to after 3 seconds.

<meta http-equiv=”Refresh” content=”3; url=’'” />

Naughty webdevs will basically use the refresh feature to redirect a page ***to itself***. Unlike the basic refresh, this causes the page to occupy the last two spots in your browsing history rather than only the current one. So when you hit the “back” button, it just goes back to the same page.

It’s a little more complicated than that, but that’s the gist of it.

There are two or three methods most of them are cracked down by browser developers but some are still possible:

1. Quick redirect – You go to page A that quickly redirects you to page B. If you go back you end up on page A which in turn quickly sends you to page B. Quickly tapping back twice (or right click and choose one you want to go back to) can defeat this.
2. Using javascript – there s a browser API that allows your action on page to change history without reloading the page. That’s how some “webapps” can work. But malicious website can push a lot of “state” onto the history. This one is harder to defeat and usually you need to close the tab.

The link to their website is actually just a script that forwards you to the website. If you watch the URL you’ll see it change twice.

You click Back, but now your back on the script which then forwards you to the website.