(a class="quickBrowserEscape ..." target="_blank" href="https://www.google.ca/") Need to leave site for your safety? Quick Escape
$('.quickBrowserEscape').on('click', function () {
document.body.style.opacity = 0;
document.title = 'New Tab';
window.open('https://www.weather.gc.ca/canada_e.html', '_blank');
window.location.replace($('.quickBrowserEscape').attr('href')); // removes current page session DOES NOT WORK IN IE
return false;
});
Would recommend picking random URLs from an array.
This would also leave intact cookies, local/session storage, indexeddb, caches. All of which abusers do actually check, when controlling their victims.
Have fun exploring the list of things we've caught abusers actually using. [0] Or don't. Reading and keeping your soul intact aren't compatible.
I am 100% sure that some do, thanks to firsthand life. And any doing it, is enough to get people dead, even if 99% don't. And yes, CS majors can be abusers, too.
With all due respect, I think that's bad reasoning, the tool is worth it if the tool allows more people to be saved that would otherwise die (or live horrendous lives), than the tool causes extra deaths (or extra horrendous worsened lives), which is very clearly the case.
A quick check shows that they don't store anything as cookies or any other browser storage.
The thing that still works is the back button after the redirection to Google, and you can still un-close the tab with Ctr-Shf-T which pops the Google page with back history intact. They have "cache-control: max-age=0" which probably should be changed to "cache-control: no-store". Still, the back button has the history if the user clicked links. Improvements could be:
- Recommend the usage of incognito mode.
- Blank the page immediately with "document.body.innerHTML=''" before the page replacement, as the replacement alone can have a delay and the abuser could see a glimpse of the police page. Blanking is immediate.
Best would be if they took care to match the overall brightness of the page they redirect to.
Currently they're going from a "not 100% bright website" to "very much 100% bright website" and the flash in people's faces will be relatively obvious, if the other person been trying to hide websites themselves. I've heard.
What's weird is with Firefox for Android it's so difficult erasing a site from being remembered. Once visited, in my experience, even after deleting the history entry and last closed tabs item it still auto completes the domain in the addressbar (when it didn't before) and the only workaround is a full history wipe (since the Android version offers no granular timeframe like the desktop version).
So if accidentally clicking some link from some other app that auto opens the default browser it's a PITA to get FF for Android to forget about it.
It’s been a very long time, but as I recall MS recommendations for AD domains and dns collisions changed multiple times. Used to be real problems if you had overlap.
These days, browsers absurdly try things like adding www. if you don't have it, and there's no open port. Same for http -> https.
This is doubly an issue, as browsers think hiding the http and www is super cool.
So in modern times, you'd never know if the non www was borked or not. It'd just seem slower, especially with a packet drop.
Ideally, you'd want to know there's an issue, not mask it. For example, by updating your bookmark, instead of saying "this site is slow every time".
I wonder of we'll just stop selling forks, because expecting users to learn a tool is verboden. In truth, it is the ridiculous change to tools for no reason which is the issue. Redesigning the UI almost yearly, moving menu items, changing menu item names, and other absurdities. Apparently this is all sensible, whilst expecting the user to know https vs http, and www is absolutely bonkers, and we must help and protect them from this horrible weight of knowledge.
Thank You for that. The popup, the monitor icon, being implemented as an iframe popup seems actually effective against browser history and cookies, sessisons, etc. I guess much better then Vancouver PD implementation.
It only replaces the current page, and VPD is not a single-page app. So if you've been clicking around to find something, the previous pages will still be in your history.
If you need to hide your browsing history from an abusive partner, it would be more secure to use incognito mode and hit Alt+F4 when you need to escape. Unfortunately, Chrome renders incognito windows in dark mode by default. If you're normally on light mode, the transition is extremely conspicuous. Edge and Firefox do the same. It's as if all browser vendors have colluded to make it difficult to browse in secret.
Thanks for the tip, but the usual open-source "you can change it" argument doesn't work in this case. People who like to control other people will interpret any deviation from the expected behavior as an attempt to hide something from them. If you change the defaults, those defaults can no longer serve as your alibi. All the more reason to ship secure defaults!
Not enough people know this: in Chrome and Edge, making a Guest window is usually more useful than Incognito. You do it from the profile menu. It’s a throwaway profile, without the various weird special-case behaviors (including the ones websites can detect) that “incognito” has. When you close it, it’s all discarded anyway.
Any large city's PD is going to be controversial. From the experience of people close to me who work with police, the VPD are better run and have more programs like Car 33 than the RCMP in neighbouring jurisdictions.
Many of the perceived issues come from (I'll say it) corrupt judges who let out career petty criminals on a bail-less "promise to appear." Some officers report arresting the same person twice in one shift.
At least it's not TPS, where the chief likes to protect officers who commit perjury in the name of framing an innocent man for a Sergeant's suicide.
VPD has become notably more controversial after Jim Chu stepped down, before that it was notable how professional they were for a North American police department
That's funny, right before this I was just reading about how some idiot I knew from back in the day beat the shit out of some stranger on the SkyTrain for his headphones. Maybe it's time to realize how fucked Vancouver is and that the cops aren't the problem
In 2025 Vancouver had the lowest violent crime rate in 23 years. Not that there’s no crime of course but I don’t see that it really constitutes Vancouver being “fucked”.
The Trevor Project (LGBTQ support/suicide prevention site) has the same thing, triggered by a hotkey (press ESC three times). https://www.thetrevorproject.org/
Do you mean something you verified is happening or something you assumed is happening? You can go look at the site OP linked and find out what is happening and if it's a "major security issue". In this case, after user click/intervention, it renames the current history entry to "New Tab". This is not a security issue at all.
It’s pretty easy to catch someone fumbling with incognito if you can suddenly enter a room. (Not that it wouldn’t also be easy to catch someone clicking this button.)
The site (vpd.ca) remains in history, just with the name replaced with "New Tab", which the script does just before redirecting. I would be very upset if browsers allowed sites to mess with history.
The gov.uk Design System calls this the "Exit a page quickly" pattern [1], with an associated component [2]. It can be activated by clicking the Shift key three times.
There's this nice blog [3] that explains why they chose Shift instead of other keys, and also gives a nice overview of the pattern.
Asylum-seekers, domestic abuse victims, sex trafficking victims, indentured servitude and modern slavery, etc. Access to guidance on government websites represents a way out of society's most dangerous situations for vulnerable people, and getting caught browsing the wrong help article can be risky. Automated intelligent surveillance isn't outside of the realms of the imagination, either, which is troubling
Was this a shared memory, specifically with regard to Sticky Keys and Return to Castle Wolfenstein? I thought it was a unique problem with me and my friends lol
The blog[0] explains their choices well. The brief highlights:
- Escape is simply unusable.
- Alt alone leaves the viewport and goes to menu, making further keypresses unregistered
- control is inconsistently placed on keyboards (e.g. laptops) which they don't say directly in the blog, makes extra sense if you recall it suggests not using devices the abuser might be admin/monitoring (public devices, friend devices, etc). It also is highly selected by other assistive technology products just like sticky keys.
They also recognized the issue... And tested it against JAWS and using it with on-screen keyboards
> Create a page to explain Exit this page to users.
> You must show this page after the start point of your service, but before the page where the user will see the Exit this page button for the first time.
> On longer services, you might need more than one interruption page.
I'm surprised that the blog doesn't mention what, to me, is the most obvious reason not use Esc — because it's conspicuous as all hell! If somebody's at risk and wants to hide what they're doing, their abuser seeing them repeatedly hit Esc just screams "I'm trying to hide something".
Seeing the level of thought that went into user experience design, research, and arguing for the _right_ page to redirect to is such a delight.
Engineering (as with so many professions) is about so much more than just shipping features as quickly as possible, and it pleases me when I see fellow engineers taking care and showing thorough consideration over the potential impact of their design decisions on people from all walks of life and circumstances.
Not a bad idea, except that *WEB PAGES SHOULD HAVE NEITHER ANY ACCESS TO NOR ANY CONTROL OVER THE HISTORY, PERIOD, AND SOMEBODY NEEDS TO BEAT THE MORONS RESPONSIBLE FOR THIS "WEB PLATFORM" BULLSHIT SENSELESS*.
It's good that a police department as chosen to do this with the misfeature, but the fact that there are non-abusive applications is not an excuse.
It doesn't wipe from history on Vanadium GrapheneOS (likely same on Android Chrome). It does change its icon to Google and open Google and weather websites.
I've implemented quick exit/escape buttons for a few organisations over the years and have spent a bit of time thinking about the limitations.
This pattern is definitely better than most and it is refreshing seeing they put some resources into it. In my professional experience, organisations often chose the "a link to another site like google is fine" option to save money and time while still getting to boast about their security culture.
One thing I have not found much research on however, but would love to hear about, is the effect of these kinds of patterns on the user's speed and choice of actions and how that effects outcomes. What I mean by that is, say someone is visiting the site on their phone and an adversary walks into the room. Most people these days know the fastest way to leave a page at short notice - maybe the home button/gesture, maybe swipe to another open app. Does having a big red button that introduces a new choice help them, or add to the cognitive bandwidth needed to handle the situation?
Remember, by definition the type of situations that this component is intended to help with are going to be stressful and likely have little to no warning; the person is going to walk in the room and the user has moments to act.
What is going to lead to measurably better outcomes; a big red button that the users needs to read, understand and move their finger/hand to, or their own knowledge of their own device's most efficient escape mechanisms?
This isn't meant as a criticism of the component. I am just genuinely curious as to what the best tool to assist folks in this situation is? We are talking about real people with real fears and the possibility of very bad outcome.
This feature could be potentially be activated whenever the page is hidden (eg. by pressing the home button), although it would be very annoying for regular users.
Indeed this is mostly performative by the police because the user would switch apps, turn off the phone screen, or any other easier way as you describe.
It doesn't seem to work in Safari on iPhone correctly. When I click on the Back button (from weather.gc.ca), it goes back to the Vancouver PD site. Therefore I do not think that it is built well.
Isn't this exactly why browsers implemented "private mode"?
Why don't they inform users about how to properly use private mode, which works with any website, instead of rolling their own solution, which the user has to learn just for that one website?
Private mode assumes you choose in advance. If you are suddenly approached, you can trigger the quick exit without any prior planning and it can be done inconspicuously.
They could be in a situation where that’s not available such as a child’s phone with parental controls or a managed work device that has it locked out.
I like that this treats as a UX problem not just a technical one.
The challenge is making sure people know the feature exists before they need it. An escape mechanism isn't very useful if you only discover it after you're already in a stressful situation.
114 comments
[ 2.6 ms ] story [ 50.3 ms ] threadI am 100% sure that some do, thanks to firsthand life. And any doing it, is enough to get people dead, even if 99% don't. And yes, CS majors can be abusers, too.
[0] https://www.esafety.gov.au/key-topics/domestic-family-violen...
https://www.npr.org/sections/alltechconsidered/2014/09/15/34...
It’s so prevalent it even has a name.
https://en.wikipedia.org/wiki/Stalkerware
Don’t underestimate an abusers ability to find a way.
The thing that still works is the back button after the redirection to Google, and you can still un-close the tab with Ctr-Shf-T which pops the Google page with back history intact. They have "cache-control: max-age=0" which probably should be changed to "cache-control: no-store". Still, the back button has the history if the user clicked links. Improvements could be:
- Recommend the usage of incognito mode.
- Blank the page immediately with "document.body.innerHTML=''" before the page replacement, as the replacement alone can have a delay and the abuser could see a glimpse of the police page. Blanking is immediate.
That's what the "document.body.style.opacity = 0;" is for. Though I agree emptying out the body is probably better.
Currently they're going from a "not 100% bright website" to "very much 100% bright website" and the flash in people's faces will be relatively obvious, if the other person been trying to hide websites themselves. I've heard.
This is a good idea that deserves to be across all Police, Help, Domestic Violence, 911, Suicide Hotline, etc sites across all countries.
Been there for probably decades, yet another thing mostly known to/used by "advanced" users.
So if accidentally clicking some link from some other app that auto opens the default browser it's a PITA to get FF for Android to forget about it.
E.g. go to govt.nz and scroll to the bottom. There's a little icon of a computer that opens a popup element inside the page.
It gives information for victims of domestic violence and abuse.
This is doubly an issue, as browsers think hiding the http and www is super cool.
So in modern times, you'd never know if the non www was borked or not. It'd just seem slower, especially with a packet drop.
Ideally, you'd want to know there's an issue, not mask it. For example, by updating your bookmark, instead of saying "this site is slow every time".
I wonder of we'll just stop selling forks, because expecting users to learn a tool is verboden. In truth, it is the ridiculous change to tools for no reason which is the issue. Redesigning the UI almost yearly, moving menu items, changing menu item names, and other absurdities. Apparently this is all sensible, whilst expecting the user to know https vs http, and www is absolutely bonkers, and we must help and protect them from this horrible weight of knowledge.
It is important to make it as easy as possible to get to the main content of the site.
Another thing that looks awesome, from a public service perspective, the zero data (phone plan) offer. From what it sounds like you don't have to pay for data on your phone plan: https://www.govt.nz/browse/engaging-with-government/no-data-...
That is public service! Well done.
> If you are experiencing family violence, don't worry, the information within this pop-up won't appear in your browser's history.
Pages like Banks or Council websites have it in their footer, so people can lookup information without it appearing in their history
If you need to hide your browsing history from an abusive partner, it would be more secure to use incognito mode and hit Alt+F4 when you need to escape. Unfortunately, Chrome renders incognito windows in dark mode by default. If you're normally on light mode, the transition is extremely conspicuous. Edge and Firefox do the same. It's as if all browser vendors have colluded to make it difficult to browse in secret.
browser.theme.dark-private-windows. Set to false, and you're set.
Many of the perceived issues come from (I'll say it) corrupt judges who let out career petty criminals on a bail-less "promise to appear." Some officers report arresting the same person twice in one shift.
At least it's not TPS, where the chief likes to protect officers who commit perjury in the name of framing an innocent man for a Sergeant's suicide.
Do you mean something you verified is happening or something you assumed is happening? You can go look at the site OP linked and find out what is happening and if it's a "major security issue". In this case, after user click/intervention, it renames the current history entry to "New Tab". This is not a security issue at all.
There's this nice blog [3] that explains why they chose Shift instead of other keys, and also gives a nice overview of the pattern.
[1] https://design-system.service.gov.uk/patterns/exit-a-page-qu... [2] https://design-system.service.gov.uk/components/exit-this-pa... [3] https://beeps.website/blog/2024-10-09-why-govuk-exit-this-pa...
I feel like if I was kidnapped in some person's vehicle and had my phone I'd be dialing 911 and using the keypad to signal I need help in morse code
I wouldn't be browsing the police department website for an e-mail address
Windows Sticky Keys entered the room.
And then the spamming of the communication that would follow.
Those pre-canned German voices were so great.
- Escape is simply unusable.
- Alt alone leaves the viewport and goes to menu, making further keypresses unregistered
- control is inconsistently placed on keyboards (e.g. laptops) which they don't say directly in the blog, makes extra sense if you recall it suggests not using devices the abuser might be admin/monitoring (public devices, friend devices, etc). It also is highly selected by other assistive technology products just like sticky keys.
They also recognized the issue... And tested it against JAWS and using it with on-screen keyboards
Seems they were very thorough.
0: https://beeps.website/blog/2024-10-09-why-govuk-exit-this-pa...
Note: this is the same link as in the grandparent post
But having a stray sticky keys window open is not too conspicuous
> Interruption page
> Create a page to explain Exit this page to users.
> You must show this page after the start point of your service, but before the page where the user will see the Exit this page button for the first time.
> On longer services, you might need more than one interruption page.
> As a result of advertising people being bastards,
The gov.uk Design Team are a treasure.
The whole blog is! I do enjoy the furry, aro-ace, agender, otherkin, machinekin and plural-system subcultures.
Engineering (as with so many professions) is about so much more than just shipping features as quickly as possible, and it pleases me when I see fellow engineers taking care and showing thorough consideration over the potential impact of their design decisions on people from all walks of life and circumstances.
It's good that a police department as chosen to do this with the misfeature, but the fact that there are non-abusive applications is not an excuse.
This pattern is definitely better than most and it is refreshing seeing they put some resources into it. In my professional experience, organisations often chose the "a link to another site like google is fine" option to save money and time while still getting to boast about their security culture.
One thing I have not found much research on however, but would love to hear about, is the effect of these kinds of patterns on the user's speed and choice of actions and how that effects outcomes. What I mean by that is, say someone is visiting the site on their phone and an adversary walks into the room. Most people these days know the fastest way to leave a page at short notice - maybe the home button/gesture, maybe swipe to another open app. Does having a big red button that introduces a new choice help them, or add to the cognitive bandwidth needed to handle the situation?
Remember, by definition the type of situations that this component is intended to help with are going to be stressful and likely have little to no warning; the person is going to walk in the room and the user has moments to act.
What is going to lead to measurably better outcomes; a big red button that the users needs to read, understand and move their finger/hand to, or their own knowledge of their own device's most efficient escape mechanisms?
This isn't meant as a criticism of the component. I am just genuinely curious as to what the best tool to assist folks in this situation is? We are talking about real people with real fears and the possibility of very bad outcome.
The other site someone mentioned (https://www.thetrevorproject.org/) doesn't have that issue.
Why don't they inform users about how to properly use private mode, which works with any website, instead of rolling their own solution, which the user has to learn just for that one website?
On top of that, informing users requires them to open up the website in the first place… leaving it in… the history.