I've never understood why browsers let web sites hijack any part of the browser UI. I'm not asking for an explanation, I'm sure there were "reasons" but it's still a bad idea.
There was an article here a couple months ago about the browser's "danger zone", i.e. the area that can be controlled by the website, and how it's changed over time. The context was around the encryption padlock to indicate valid certificates. What I took away is that nothing in a browser can be trusted now.
Indeed, in my experience, hijacking elements like right click, copy, and back/forward buttons is somewhat commonplace. Some browsers are better at avoiding this, but none I've used are immune to hijacking tricks, especially the back button.
When you make an application, it's often useful to create a static identifier of the application state and push it on the back button, so that if the user doesn't like where he is going, he can simply go back.
I don't agree that it's a bad idea. What is bad is the amount of user-hostile sites that get promoted on the web. Those should be silenced, not boosted into mainstream by search engines an social media.
Anyway, browsers can improve the feature by grouping the added links and making it easy for users to ignore them. But innovation on the web got it's last and fatal strike when Firefox killed its original extensions API.
>> When you make an application, it's often useful to create a static identifier of the application state and push it on the back button...
Like I said, I'm sure there are "reasons" for doing it. Put your own "back" button in the application then, don't take MY browser button and reconfigure it. The browser back button should go back in my browser history - including leaving an app, not where some web developer decides it should go. This is a giant security concern introduced for web developer convenience.
All the JS API provides is a way to give the user a savepoint on his history that he can go back to, correlate with others on the browser history, or do whatever he wants.
This is only a security issue because the browser developers want it to be. There's nothing on the standard saying that when you click back, it should go to the previous link inserted by JS, or that there must be a single button for everything, or that every site is treated the same way.
Anyway, removing the quite useful possibility of the browser remembering the history of the usage of an application won't solve the issue of browser innovation being destroyed or of malicious sites using any loophole available to get something out of you. For that we need browsers and basic web infrastructure that are focused on supporting your needs, what the current crop clearly isn't.
