Evil JavaScript Trick: The History Nuker

Mar 16, 2011 by Matt | Posted in Coding, Featured One Comment

Remember back in the bad old days of the internet, when pop-up ads and other annoyances were around every corner? Some sites, by some flawed logic, would decide that you didn’t really want to leave their website when you clicked the Back button and would attempt to disable it with JavaScript. The technique they would generally use was to use the “unload” event handler to fire a document.location change, bouncing you back to the same page you were trying to leave. This, of course, was easily defeated by hammering the Back button, as a quick double-press of the Back button could override the JavaScript.

Fortunately the days when people thought that to be an acceptable practice are over.

While reading about JavaScript “hashbang” URLs, I had a thought. An evil thought. You could build a better Back button-disabling script by using the same technique used to enable the back button in AJAX-heavy websites. (Take a look at Google Instant Search’s pagination, or Twitter, to see it in action.)

I thought, what if you looped around a large number of times, changing the URL fragment, until the back button became useless? Not only would it be a pain to click the Back button, say, 300 times, the browser starts to “forget” the previous pages after one or two hundred pages. (They stay in the history, but the Back button only remembers a few.)

So I made a quick proof-of-concept. I used setTimeout() instead of an ordinary for loop, so the browser doesn’t hang when you push a few hundred items onto the history stack and window.location.hash to change the URL fragment.

var theURL = document.URL;

i = 0;
nukeBackButton = setInterval("addAFragment()", 1);

function addAFragment() {
if (i > 300) {
 clearInterval (nukeBackButton);
}
window.location.hash = "#fragment" + i;
i++;
}

You can see it in action here. It works rather well, though of course tabbed browsing easily circumvents it. (Thankfully.)

Note: I do not advocate the use of this script, and anybody who does use it is a fiendish menace to the internet. This is to be used purely for academic purposes.

  • http://dataanxiety.tumblr.com/ Ellie

    Worked like a charm, just as you said. An endless list of historynuke on Chrome browser’s back button. But it also showed a 301 redirect. Don’t remember where, and am not inclined to try it a second time to provide full details.

    You blog is nice. AND you’re part of the 9rules network! I liked your comments on ReadWriteWeb about dislike buttons.