upvote

points

by synack20 hours ago |
comments
upvoteby tgsovlerkhgsel20 hours ago|
next
[-]
Because clicking on a navigation button in a web app is a good reason to window.history.pushState a state that will return the user to the place where they were when they clicked the button.

Clicking the dismiss button on the cookie banner is not a reason to push a state that will show the user a screen full of ads when they try to leave. (Mentioning the cookie banner because AFAIK Chrome requires a "user gesture" before pushState works normally, https://groups.google.com/a/chromium.org/g/blink-dev/c/T8d4_...)

reply
upvoteby kro19 hours ago|
prev|
next
[-]
It's a valid question how they detect it. As there are valid usages, just checking for the existence of the function call would not be correct.

These sites likely pushState on consent actions so it appears like any user interaction.

reply
upvoteby tgsovlerkhgsel9 hours ago|
parent|
[-]
No idea how they actually do it, but I wouldn't be surprised if manual reports and actions play a big role. The policy doesn't need to be enforced reliably as long as it is plausible for reasonably big actors to get caught sooner or later and the consequences of getting caught are business-ruining.

But detecting it on a technical level shouldn't be hard either. Visit the page, take a screenshot, have an AI identify the dismiss button on the cookie/newsletter popups, scroll a bit, click something that looks inactive, check if the URL changes, trigger the back action. Once a suspicious site is identified, put it in the queue for manual review.

reply
upvoteby kro5 hours ago|
parent|
[-]
The URL does not even need to change, you can pushState with just a JavaScript object, catch the pop and do something like display a modal. (I use this pattern to allow closing fullscreen filter overlays the user opened)

Still, requires user interaction, on any element, once. So the crawler needs to identify and click most likely the consent/reject button. Which may not even trigger for Googlebot.

So they likely will rely on reports or maybe even Chrome field data.

reply
upvoteby tgsovlerkhgsel4 hours ago|
parent|
[-]
Field data is a great point - it should be really obvious when people click "back", and many then click back again immediately after (or close the tab, or whatever people do to "escape").
reply
upvoteby omcnoe20 hours ago|
prev|
[-]
No, only if your website abuses window.history.pushState to redirect the user to spam/ad content is it considered abuse.
reply