Closed Bug 1515073 Opened 6 years ago Closed 4 years ago

Back/forward buttons should expose only pages with user-interaction

Categories

(Core :: DOM: Navigation, enhancement, P2)

Product:
Core
Component:
DOM: Navigation
Type:
enhancement

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Project Flags:
Webcompat Priority ?
Tracking Flags:
Tracking Status
firefox79 --- fixed

People

(Reporter: baku, Assigned: johannh)

References

(Blocks 5 open bugs)

Details

(Keywords: site-compat)

Attachments

(5 files, 3 obsolete files)

Bug 1515073 - Part 1 - Add nsISHEntry::hasUserInteraction. r=peterv!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1515073 - Part 2 - Allow nsIWebNavigation::{goBack,goForward} to skip entries without user interaction. r=peterv
47 bytes, text/x-phabricator-request
Details | Review
Bug 1515073 - Part 3 - Add support for skipping session entries without user interaction on desktop. r=Gijs!,JanH
47 bytes, text/x-phabricator-request
Details | Review
Bug 1515073 - Part 4 - Add test for skipping pages without user interaction on back-forward. r=Gijs
47 bytes, text/x-phabricator-request
Details | Review
Bug 1515073 - Part 5 - Disable browser.navigation.requireUserInteraction in tests. r=Gijs
47 bytes, text/x-phabricator-request
Details | Review
The intent of this bug is to block the history push state for sites that abuse it. We already know the user-interaction state per every documents (bug 1491835). We can use this information to skip pages which have not been user-interacted. This is similar to what Chromium is experimenting. See: https://www.slashgear.com/google-chrome-will-soon-say-no-changing-browser-history-17558484/
Component: Bookmarks & History → Document Navigation
Product: Firefox → Core
Blocks: eviltraps
Assignee: nobody → jhofmann
Status: NEW → ASSIGNED

It appears that someone made a site for us to test on: http://matthewrayfield.com/articles/animating-urls-with-javascript-and-emojis

See Also: → 1551529
Attachment #9065657 - Attachment is obsolete: true
Attachment #9065658 - Attachment is obsolete: true
Attachment #9058402 - Attachment description: Bug 1515073 - Part 2 - Allow nsIWebNavigation::{goBack,goForward} to skip entries without user interaction. r=bzbarsky,Gijs → Bug 1515073 - Part 2 - Allow nsIWebNavigation::{goBack,goForward} to skip entries without user interaction. r=bzbarsky
Attachment #9058403 - Attachment description: Bug 1515073 - Part 3 - Add support for skipping session entries without user interaction on desktop. r=Gijs,JanH → Bug 1515073 - Part 3 - Add support for skipping session entries without user interaction on desktop. r=Gijs!,JanH
Blocks: backtraps

This is waiting on bug 1591943 to avoid complicating Fission work. Once that's done, I'll try and drive this over the finish line.

Depends on: 1591943

(In reply to Johann Hofmann [:johannh] - Away until Dec 3rd from comment #16)

This is waiting on bug 1591943 to avoid complicating Fission work. Once that's done, I'll try and drive this over the finish line.

That is done now, FWIW.

Attachment #9058401 - Attachment description: Bug 1515073 - Part 1 - Add nsISHEntry::hasUserInteraction. r=bzbarsky → Bug 1515073 - Part 1 - Add nsISHEntry::hasUserInteraction. r=bzbarsky!,peterv!

I'm not certain we want to break extensions this way (nor am I certain we dont want to)...browser.history can add/remove history entries. Those will not be marked with the user interaction flag, so navigation on them will be skipped.

We should consider whether to somehow add the flag when an extension calls addUrl[1]

Pinging Philip for another opinion on this.

[1] https://searchfox.org/mozilla-central/rev/2f09184ec781a2667feec87499d4b81b32b6c48e/browser/components/extensions/parent/ext-history.js#148

Flags: needinfo?(philipp)

(In reply to Shane Caraveo (:mixedpuppy) from comment #18)

I'm not certain we want to break extensions this way (nor am I certain we dont want to)

sorry...I may be wrong about what I said in comment 18. The history api uses placesutils.history, I'm not certain that has anything to do with the history state of a tab. I'm going to do a bit more investigation on how extensions interact with this. If this change does effect extensions (probably in content scripts) I think we still need to make a decision on whether that is what we want

Also, the above is not meant to block these changes in any way, it's about whether we need to followup with a change for extensions.

(In reply to Shane Caraveo (:mixedpuppy) from comment #19)

(In reply to Shane Caraveo (:mixedpuppy) from comment #18)

I'm not certain we want to break extensions this way (nor am I certain we dont want to)

sorry...I may be wrong about what I said in comment 18. The history api uses placesutils.history, I'm not certain that has anything to do with the history state of a tab.

It doesn't, the browser history and session history are separate from each other. For example, in private browsing mode we have session history but we don't persist browser history.

I'm going to do a bit more investigation on how extensions interact with this. If this change does effect extensions (probably in content scripts) I think we still need to make a decision on whether that is what we want

I would expect extension content scripts to be able to push entries into the session history using the history.pushState API in the exact same way that web pages do. It would be interesting to scan existing extensions on AMO to see if we can find a legitimate use case for an extension to push a page that has never received user interaction onto the session history, and the user wanting to go back to that page; I can't imagine off the top of my head what such a use case might look like.

(In reply to :ehsan akhgari from comment #21)

I would expect extension content scripts to be able to push entries into the session history using the history.pushState API in the exact same way that web pages do. It would be interesting to scan existing extensions on AMO to see if we can find a legitimate use case for an extension to push a page that has never received user interaction onto the session history, and the user wanting to go back to that page; I can't imagine off the top of my head what such a use case might look like.

There was a XUL extension I used that put fake history into tabs from links opened via middle-click (open in new tab). It's basically what I wish my browser would would do by default.

Flags: needinfo?(philipp)
Blocks: 1636675
Attachment #9058401 - Attachment description: Bug 1515073 - Part 1 - Add nsISHEntry::hasUserInteraction. r=bzbarsky!,peterv! → Bug 1515073 - Part 1 - Add nsISHEntry::hasUserInteraction. r=peterv!
Attachment #9058402 - Attachment description: Bug 1515073 - Part 2 - Allow nsIWebNavigation::{goBack,goForward} to skip entries without user interaction. r=bzbarsky → Bug 1515073 - Part 2 - Allow nsIWebNavigation::{goBack,goForward} to skip entries without user interaction. r=peterv
Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/08b6902debe8 Part 1 - Add nsISHEntry::hasUserInteraction. r=peterv https://hg.mozilla.org/integration/autoland/rev/e91f0572aa8c Part 2 - Allow nsIWebNavigation::{goBack,goForward} to skip entries without user interaction. r=Gijs,peterv https://hg.mozilla.org/integration/autoland/rev/e08524b0a11c Part 3 - Add support for skipping session entries without user interaction on desktop. r=JanH,Gijs https://hg.mozilla.org/integration/autoland/rev/88104bd105a8 Part 4 - Add test for skipping pages without user interaction on back-forward. r=Gijs https://hg.mozilla.org/integration/autoland/rev/891bf9d395fd Part 5 - Disable browser.navigation.requireUserInteraction in tests. r=Gijs
Regressions: 1644564
Blocks: 1644595
Keywords: site-compat

Going through the webcompat issues...

https://webcompat.com/issues/39963 (NSFW) is fixed
https://webcompat.com/issues/50326 is fixed
https://webcompat.com/issues/47715 I can't reproduce anymore
https://webcompat.com/issues/41847 (NSFW) seems fixed at first glance, but when navigating back and forth a little the site seems to be able to add another sh entry somehow, but not in Chrome. I'll file a bug to investigate

Regressions: 1644914
Blocks: 1645211
Blocks: 1645315
Regressions: 1646414
Blocks: 1650345

That patch is in the wrong bug I think. It should be in bug 1657992 right?

Flags: needinfo?(rob)

Woops, thanks. Sorry for the noise here!

Flags: needinfo?(rob)
Regressions: 1666095
Depends on: 1756731
No longer depends on: 1756731

This looks fixed to me on the Latest Nightly build 132.0a1 across platforms (Windows 11, macOS 13 and Ubuntu 22.04) using the working links from webcompat.com which are linked to this bug.

Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: