I am designing a website for a domestic violence agency and I want to include an "escape" button. However, simply having a link leaves a danger of someone looking in the browser's history or clicking the back button to see where they were.
So, my question is: (1) Is it possible to load webpages and exclude them from the history? (2) Is it possible to disable the back button after following a link to, say, Google?
Thanks in advance for any help!
For disabling the back button:
<script language="text/javascript">
function goNewWin() {
//***Get what is below onto one line***
window.open("backbuttonnewpage.html",'TheNewpop','toolbar=1,
location=1,directories=1,status=1,menubar=1,
scrollbars=1,resizable=1');
//***Get what is above onto one line***
self.close()
}
</script>
Click to go to a new page
from http://www.htmlgoodies.com/tutorials/buttons/article.php/3478911/backbutton.html
No.
However, you could detect the browser and then explain details on how to clear history/caches for their current browser.
Maybe and no. That is entirely browser driven. Some browsers have been known to replace pages in history when window.location.replace(newURL) is called, but that is not guaranteed and not recommended.
Concerning your first question: As far as I know, the browser's history is completely dependant only on the browser's settings. Websites cannot and (should not) try to access any of the browser's preferences and functionality . A website just provides information (i.e. code and resources) - it is the browser's task to decide what to do with it (how to parse and render it).
So in my opinion, the best you can do is to suggest the user to clean one's history or use a "private mode". You even might provide information about how to do that, depending on the user's browser.
In any case: All the best for your project against domestic violence!
Related
Is there a way to accomplished this on browser?
Disable opening another web page
or disable switch current tab functionality in browser
when certain page (in this case my page) is still open?
I want to make a quiz in web, but i want to eliminated the posibility for user search on internet for the answer, but have no idea how to accomplished that.
plis give me a solution..
regards..
No, this isn't possible, for (what I hope are) obvious reasons.
This not possible.
Even if it was possible in theory, how would you stop the user opening another browser (different brand to the current one)?
How would you stop the user from using their mobile phone to search the web?
If this quiz is being run in a controlled environment (like a classroom) you could run the web browser in some sort of kiosk mode with strict policy setup against opening other tabs etc. But if it is being run in a classroom, then you already have someone supervising anyway. Why bother then
I have a function that I want to open up a URL in a new tab on a click event, but not give that tab focus. Is this possible with javascript?
You can't steal focus from a newly opened window. It's a security feature preventing sites from "taking control" of your browser. That would be a browser configuration setting.
As far as "hiding" focus from a popup, you might be thinking of what's called "PopUnder". Basically you use window.open() and set the option _blank and the paramater alwaysLowered, but it will not work gracefully for an average website. It requires you to have a signed script and take advantage of the Netscape Security PrivilegeManager, like this:
netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead UniversalBrowserAccess"); // etc...
Sorry bro :)
You can attempt to open a new window, then set focus back to the current window. However, user settings may make this impossible, or it might already be the default behaviour.
Pop–unders are used by some web sites probably to disassociate the web site from the window (i.e. so you don't know where it came frome). So they are assuming a certain naivety on behalf of the user. They are considered spam and treated with the same contempt.
If you outline what it is you are trying to achieve using a pop–under, you might get advice on better ways of doing it. Or not. :-)
To my knowledge it is impossible bro.Since the user's browser Settings will conflict with your logic
If I go to this page and then delete the url from my browser's address bar, and then enter
javascript:document.getElementById('rsidebar').value='dsf';
The whole part refreshes. How can I prevent a page from refreshing when executing javascript from the address bar?
Also, are there any other techniques to manipulate a page without having access to the page source like the above method?
No, you cannot stop the user from manipulating the DOM.
You don't need to worry about people manipulating the DOM from the client-side. These changes only effect their local experience. They aren't actually affecting your site for other users.
You can easily manipulate the DOM using tools like Firebug, IEDeveloperToolbar, or Greasemonkey (Javascript engine).
When you do javascript:stuff(); and stuff() produces a return value, the whole page is replaced by it. You can prevent that by using javascript:void(stuff()); or javascript:stuff();void(0);
Already answered by others :)
For Q1: I think this isn't possible because the browser runs every website in its own 'sandbox'
For Q2: I believe Firebug will let you execute javascript on any webpage...
Question 1: As the earlier responders said, nothing you can do I don't think.
Question 2: Check out bookmarklets, some very cool things can be done by running your own JavaScript against pages from various sites. People have written bookmarklets to highlight things on the page, put warning indicators next to links that will open in a new window, or go to aPDF, etc.
How can we detect when a user opens a new window. The user is already authenticated and we make heavy use of sessions.
We were trying to avoid Ctrl+N javascript hooks but maybe that is an option.
I am assuming the request is the exact same URL...with Ctrl+N?
We were trying to avoid ctrl-n javascript hooks
Forget it. Whilst you could in theory try to catch keypress events for ‘n’ with the Control key modifier, there are any number of other ways to open a new window or tab which may be more likely to be used, and you won't be able to catch. File->New Window/Tab, middle click or shift-click link, middle click back/forward buttons, right-click-open-in-new-window, open bookmark in new tab, double-click browser icon...
The user is already authenticated and we make heavy use of sessions.
That shouldn't be a problem in itself. I guess what you mean is that your application is dumping all sorts of page-specific data in the session that it shouldn't have, and now you find the application breaks when you have more than one window open on it? Well, commiserations and happy rewriting.
In the meantime about all you can do is tell the user “please don't try to open two browser windows on the same application”. There are potential ways you can make JavaScript on one page notice that JavaScript is running on another page in the same domain at the same time, generally involving using document.cookie as a inter-page communications conduit. But that's also a bit fragile.
If opening a new window causes a problem in your application, then you should fix the application code to handle it instead of trying to apply an inconsistent and unreliable client-side "bandage". That's my opinion.
Why?
And anyway you can't detect it. User can open new window not only with Ctrl+N but also with File->New Window.
You could possibly put a window count into the session and increment it on window.onload and decrement it on window.onunload.
Imagine me tutting, sucking air through my teeth and going "better you than me, guvna" if you use that, though.
What I have done to solve this issue is when the user authenticates set the window name on valid login.
<script>
window.name = 'oneWindow';
</script>
And then on the master page do a javascript check:
<script>
if (window.history.length == 0 || window.name != 'oneWindow')
//history length to see if it's a new tab or opened in a new window 0 for IE, 1 for FF
//window name to see if it's a CTRL + N new window
</script>
If the check is true then hide/remove the main content of the page and show a message stating they are doing something unsupported.
This works when your login page is not tied into the master page.
If you do not have a master page then I would suggest putting the check on all your pages.
Yes and no,
You'll always see it if a control has focus, else the event is sent directly to the browser and the code on the page never hear about it.
In my experience you can't hijack the browser's shortcut, your mileage may vary. You are likely to know it happened but the browser will do its thing (for obvious reason)
In most browsers, the effect of Ctrl-N is to open a new window at the same URL as the old one and associate it with the same sessionID.
Your best bet would be to modify the back end code if possible and allow for such things. Breaking the browser's feature is never a good thing.
I've created a tool that is used with a fairly popular music retailer.
The tool provides an enhanced search feature (transparent last.fm results, no ads, no lameness, nothing creepy) and I've found the most useful and unobtrusive way to display the search is as a toolbar using the much maligned iframe. This allows users to load search without stealing the users focus.
Not being a particularly big fan of iframes I thought it would be trivial to add a “close this frame” (ala Google image search) link allowing users to quickly and easily regain control of their browser.
However unlike google, I doen't know what the location of the content in the iframe is (only where it started, via src).
So now I find myself in world of XSS and all the security related concerns.
Using Javascript I've added 'back' and 'forward' buttons with the history object called from links in the parent (when a user does a search the results load into the iframe, so the back button allows them to go back to the primary site after their done using/perusing the search results).
Is there any way to call the current location within the iframe and reload the page (now sans frames) to that location?
I've checked PHP $GLOBAL/$_SERVER variables to see I might get lucky. I understand that there are security concerns, but I don't see how this particular function would be any different then history.back() where the browser makes the call itself without 'notifying' my parent frame.
I know I can retrieve the src location from the iframe itself, but of course that presumes the user doesn't navigate beyond this page, and if they do they don't mind losing their current location and being redirected back to page called initially by the frame (...ah...).
It almost seems like frames are designed to steal windows with no means for gracefully 'breaking out' and preserving integrity of the users session.
No wonder people hate them. :)
On Google image search when you remove the frame it functions as you currently propose, by returning to the original frame source. For XSS reasons, finding the current location shouldn't be possible, and if it was it would be considered a bug and fixed in subsequent browser patches, so it might not be best to rely on such a quirk if one existed. A way to elegantly break out without revealing location would be nice, though. This might be something you can propose to the HTML5 group.
Not that it would really be all too helpful, but the closest you can come is detecting if someone actually left the original frame source page. When you navigate a frame the history object maintains entries, and if your original history length when the page loads is greater than the history length when someone clicks "Break out of this frame...", then you know they were browsing in the frame.
I appreciate both you (hal10001) and Zach taking the time to answer. It appears I'm suck (as I suspected) because of the xss security concerns.
I suppose I could simply wrap all the content within a php based proxy, but that would clearly entering the creepy zone, not to mention the added latency and what-not.
I'll keep spinning the idea incase I do come across something sane and usable, but until then I guess I'll just use the slightly less freindly approach of promoting the original frame and wiping out their current location (and if they don't like I can revisit the iframe/toolbar situation.
Thanks again!