Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
synack 13 hours ago

Are they considering all uses of window.history.pushState to be hijacking? If so, why not remove that function from Chrome?

tgsovlerkhgsel 13 hours ago | parent | next [-]

Because clicking on a navigation button in a web app is a good reason to window.history.pushState a state that will return the user to the place where they were when they clicked the button.

Clicking the dismiss button on the cookie banner is not a reason to push a state that will show the user a screen full of ads when they try to leave. (Mentioning the cookie banner because AFAIK Chrome requires a "user gesture" before pushState works normally, https://groups.google.com/a/chromium.org/g/blink-dev/c/T8d4_...)

kro 12 hours ago | parent | prev | next [-]

It's a valid question how they detect it. As there are valid usages, just checking for the existence of the function call would not be correct.

These sites likely pushState on consent actions so it appears like any user interaction.

tgsovlerkhgsel 2 hours ago | parent [-]

No idea how they actually do it, but I wouldn't be surprised if manual reports and actions play a big role. The policy doesn't need to be enforced reliably as long as it is plausible for reasonably big actors to get caught sooner or later and the consequences of getting caught are business-ruining.

But detecting it on a technical level shouldn't be hard either. Visit the page, take a screenshot, have an AI identify the dismiss button on the cookie/newsletter popups, scroll a bit, click something that looks inactive, check if the URL changes, trigger the back action. Once a suspicious site is identified, put it in the queue for manual review.

omcnoe 13 hours ago | parent | prev [-]

No, only if your website abuses window.history.pushState to redirect the user to spam/ad content is it considered abuse.