Closed Bug 1914394 Opened 1 year ago Closed 1 year ago

Back button available for some websites that abuse the history state when are opened via target="_blank

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Platform:
Desktop
All
Type:
defect

Tracking

(firefox131 wontfix, firefox135 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox131 --- wontfix
firefox135 --- fixed

People

(Reporter: bmaris, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Gif showing the issue
2.58 MB, image/gif
Details
Attached image Gif showing the issue

Found in

  • Latest Nightly 131.0a1

Affected versions

  • Latest Nightly 131.0a1

Tested platforms

  • Affected platforms: Windows 11, macOS 13 and Ubuntu 22.04
  • Unaffected platforms:

Preconditions

  • Have browser.navigation.requireUserInteraction pref set to true

Steps to reproduce

  1. Open data:text/html,<a href="https://www.mlb.com/tv/g632367?affiliateId=SCORES" target="_blank">Open affected website</a> in the urlBar
  2. Click the Hyperlink
  3. Click the Back button

Expected result

  • The website is opened in a new tab and the back and next buttons are disabled.

Actual result

  • The mlb website is opened in a new tab but the back button is enabled. Clicking the button will act as if the UserInteraction pref will have the false value.

Regression range

  • Not a regression since this is reproducible in a very old build (Firefox 79) from when user-interaction was first implemented, bug 1515073.

Additional notes

  • I am not entirely sure if this is the correct expected result for this issue but I noticed that on Chrome the back/forward buttons are disabled.
  • Opening the mlb.com link on its own in a new tab and clicking on the back button will automatically take the user to the about:newtab page.

Looking at what Chrome does here is that they do get a disabled back button, but looking at history.length in the console we see that it's 2 and it's actually possible to do history.go(-1) from the console as well. This makes you go back to the page that redirects you to login.

We're actually more similar to Chrome than on first appearance, which makes me think that this isn't such a big problem. What do you think Hsin-Yi?

Flags: needinfo?(htsai)
Flags: needinfo?(htsai)
See Also: → 1636675

This works as expected after bug 1924861 landed. We disabled the back button for the first entry.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

Verified using latest Nightly Firefox 135.0a1 on Windows 10, macOS 12 and Ubuntu 22, works as expected.

status-firefox135: --- → fixed
Component: DOM: Navigation → Site Reports
Depends on: 1924861
Product: Core → Web Compatibility
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: