MSEdgeExplainers icon indicating copy to clipboard operation
MSEdgeExplainers copied to clipboard
verified publisher icon MicrosoftEdge

[BackToOpener] Make a stronger case for this being opt-in

Open domenic opened this issue 6 months ago • 3 comments

I think the biggest question mark about this proposal is whether it should be opt-in or applied automatically across the entire user agent.

The explainer already discusses this somewhat. However, I don't find its logic that convincing. Many of the arguments, especially in https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/BackToOpener/explainer.md#user-facing-problem, for why this is important to solve, steer me in the direction of it applying everywhere.

Note that some user agents, e.g. Chrome for Android, already apply this behavior across the entire user agent.

I would be most convinced if you had clear examples of cases where this behavior would be confusing or harmful.

domenic avatar Jun 26 '25 06:06 domenic

This is a good point, and it's taking me some time to thoroughly think through - why shouldn't this be everywhere. When writing the explainer, I proposed the behavior as opt-in as a way to be less disruptive for websites.

My two points on "why opt-in" is as follows:

  • Back To Opener by default, introduces perceived connection between two pages. There shouldn't be any security concerns as long as rel="noopener" and window.opener = null is still enforced. But the implied connection might be used to do something bad, and that might not be desired by developers.
  • Disrupting OAuth or Payment flows that appears in a popup - you perhaps don't want your user to accidentally click back before they are done with the task you want them to do.

I can see the counterpoint to point 1 being that the perceived connection is there for same-site navigation already.

I am wondering if there is precedence for similar default behavior change at the web platform standards level, instead of at a UA level?

victorhuangwq avatar Jun 30 '25 23:06 victorhuangwq

  • But the implied connection might be used to do something bad, and that might not be desired by developers.

I don't know about this argument, since Chrome/Safari on mobile already have this implied connection. Since they don't have any security issues that we know of because of this feature, it seems unlikely that new ones would arise on desktop.

  • Disrupting OAuth or Payment flows that appears in a popup - you perhaps don't want your user to accidentally click back before they are done with the task you want them to do.

I think most popup windows don't show back buttons at all.

I am wondering if there is precedence for similar default behavior change at the web platform standards level, instead of at a UA level?

I'm not sure I understand this. Why would we make a default behavior change at the web platform standards level? If we omit the opt-in, then this seems entirely up to the UA, and outside the realm of web standards.

domenic avatar Jul 01 '25 04:07 domenic

I think I'm also seeing that implementing this change by default for a user agent as the more sensible approach.

I will socialize this explainer more to see if there's any real rationale for keeping this as a web platform hint for opting-in.

victorhuangwq avatar Jul 02 '25 21:07 victorhuangwq