3

Situation:

I have a sensitive website about domestic violence with an EXIT button that directly links to Google. So that anyone visiting that website can quickly jump to Google if the visitor feels unsafe or uncomfortable.

I would love to be able to clear any references to this website from bot the history list and the back button functionality. Basically, remove any proof of visiting that website. Keep in mind that not all people know how to browse anonymous and some people just cannot even get out of the house to browse the internet. Yes, this scenario is for seriously bad situations.

I've tried using location.replace instead of regular links to keep them from being saved into the history, but they just keep being saved in the history.

I've also tried to use browser.history.deleteUrl({url:"https://thewebsite"}), but this gives error on browser being undefined.

Is this even possible from a website? Or are there other options? Thanks for thinking with me!

Jos
  • 1,387
  • 1
  • 13
  • 27
  • I think you meant to use [`history.deleteUrl`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/History/deleteUrl), rather than `browser.deleteUrl` (`browser` isn't a default global in the web environment). Probably in combination with a [`history.search`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/history/search) to find the URLs to remove. Note that not all browsers will have this, but there's a limit to what you can do, and most do. – T.J. Crowder Feb 02 '22 at 12:06
  • 1
    @T.J. Crowder I was just looking at that myself, and your link confirms my suspicion: they are looking at the Web Extensions API. Unfortunately, they are *not* in an extension; they are in a page on a *website*. (If they were in an extension, `browser` would be correct. Note that it needs to be `browser.history.deleteUrl`, not just `browser.deleteUrl`.) – Brian Drake Feb 02 '22 at 12:10
  • @BrianDrake - Ah, okay, what I get for searching quickly. I was fairly surprised a simple page could do that, even with URLs on the same origin... Thanks!! – T.J. Crowder Feb 02 '22 at 12:17
  • I must say that's a very moving use-case. Unfortunately I fear such a feature could be abused by less ethical websites. Is your website part of some governmental project or alike? Is there like a kind of an official network of websites in this field? One very-long-shot-completely-blinded idea would be to reach to the browsers directly and ask them if they'd be ok to special-case your website(s) in order to not store it in their history, or even to install an extension by default that only your website(s) could access (Chrome already has such extensions they use e.g in Google Meet). – Kaiido Feb 03 '22 at 00:26
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/241676/discussion-between-brian-drake-and-kaiido). – Brian Drake Feb 03 '22 at 06:25
  • Thanks for all your interesting comments. @ka – Jos Feb 03 '22 at 13:06
  • Sorry, comment edit took me longer than 5min ;-) ... The website is not part of a governmental project. It's a project carried by several foundations to give bystanders information on what to if they encounter situations of domestic violence. But the people involved themselves could ofcourse also visit the site. We wanted to give these visitors a way of quickly hiding what they were doing, because those kind of visits could create precarious situations. I'm hoping these people know how to browse in private, but I know that not all people now how to do this. – Jos Feb 03 '22 at 13:14
  • @JosFaber yes I understand your situation I think. To be clear, I'm pretty sure there isn't today a technical solution for your issue (and thus SO can't really help you). The best for you might be to bring the situation at https://discourse.wicg.io even if I really doubt that a general solution will be proposed, you should be able to reach to individual browsers from there and see what they propose. You can hint at that extension's API and at the idea that browsers could allow some registered websites to use a pre-installed extension like [Google Meet does for other purposes](/q/64442820). – Kaiido Feb 04 '22 at 02:15
  • Thinking of it a bit more, erasing your website only for the browser's history wouldn't be enough. If they came there using a search engine that would still be in the browser's history. Now wondering if the best isn't to actually educate on how to clear the history and then navigate in private mode from the get-go. – Kaiido Feb 04 '22 at 04:03
  • Yes, I agree that the best is to educate everyone on how to use the internet and stay private if needed. Although the situation for which we wanted to make this button is serious, it's not a case to ask browser companies for special treatment. I'm sure there would be millions of sites that would require special treatment, which would be an almost unmanageable task if you consider this has to be a coordinated task around the globe. Although we do also have the domain name system ;-) – Jos Feb 05 '22 at 09:28

1 Answers1

0

As you state in the question, you can use window.location.replace() to prevent your site from appearing in the window’s history (back button). Of course, this only works if your site had only one entry in the window’s history to begin with.

As you also state, there is a bigger problem: this does not prevent the site from appearing in the browser’s history. I believe you cannot solve this problem with scripts on your website: you need some external solution, like a browser extension.

(This does not really answer your question, but you could try using URLs and titles that disguise the nature of your site. I have heard of that being done with this sort of resource.)

In response to my idea of disguises, someone asked for examples and asked about discoverability. I was referring to the Aspire News App, featured on Dr Phil’s TV show. On that show, they made a big deal out of not showing what the app looked like, to avoid tipping off abusers. They also said the app is disguised as an ordinary app.

When I was researching this answer, I learned that disguises are indeed a terrible idea. I had no trouble finding information about the app online, and one review said the app is “pointless” because “with all of the media cpverage this app has gotten sbusers know exactly what it is and what to look for”.

I also learned that the app still had a fundamental security flaw 7 years after it was released. This shows that even supposedly reputable apps, dealing with sensitive matters, cannot be trusted. And perhaps it means that supposedly reputable websites looking to hide themselves from the browser’s history cannot be trusted either.

Brian Drake
  • 346
  • 1
  • 8
  • The problem of disguising the website's identity will be discoverability. I guess it's at least as important for the targeted audience to be able to find the website in the first place as it is to be able to hide it from the threat. Could you provide examples of how this has been done as it's not obvious (at least to me)? – Kaiido Feb 03 '22 at 00:30