SEO & Organic Search

Google Gave Back Button Hijackers Until June 15. The Policy Catches More Than Spam.

Google Gave Back Button Hijackers Until June 15. The Policy Catches More Than Spam.
Google made back button hijacking an explicit spam violation with a June 15, 2026 enforcement date.

The most interesting part of Google’s new back button hijacking spam policy is not the policy itself. It’s the date.

June 15, 2026. That’s when enforcement begins. Google gave everyone exactly two months, which is unusual for a company that normally announces algorithm updates with the specificity of a weather forecast. Core updates roll out “over the coming weeks.” Quality systems “may take time to fully deploy.” But for back button hijacking? They put it on a calendar.

The policy now sits as its own section under Google’s spam policies, distinct from misleading functionality and sneaky redirects. The official language defines back button hijacking as a site that “interferes with user browser navigation by manipulating the browser history or other functionalities, preventing them from using their back button to immediately get back to the page they came from.”

That sentence contains about three different policies worth of ambiguity in the words “other functionalities.”

The deadline is the easy part

Google has been warning against this practice informally since roughly 2013. What changed is that it now carries explicit consequences: manual spam actions through Search Console, or automated demotions that reduce search visibility. According to Search Engine Journal’s reporting, sites receiving manual actions can submit reconsideration requests after fixing the issues, which is standard. The non-standard part is the grace period.

Two months is aggressive for a policy that affects code most site owners didn’t write and probably don’t fully understand.

The textbook back button hijack is straightforward. A user clicks a search result, lands on a page, tries to go back to Google, and instead gets a feed of articles or advertisements served from the same domain. The site has manipulated browser history using history.pushState() to inject fake entries. Technically the user keeps hitting the back button and keeps seeing more of the publisher’s content instead of returning to the SERP.

Publishers do this for an obvious reason: each additional page view generates ad impressions. From the publisher’s perspective, a user who clicked back “wanted to leave anyway” so why not show them more content on the way out. It’s the digital equivalent of a hotel gift shop positioned between you and the elevator. You didn’t ask for it, you can technically walk around it, but somebody decided the foot traffic was too valuable to leave alone.

This is a ranking signal problem, not just a UX complaint

The part that elevates this from “annoying dark pattern” to “thing Google actually cares about enforcing” is the connection to Navboost. Glenn Gabe at GSQI documented how back button hijacking manipulates engagement signals that feed directly into ranking decisions. Navboost tracks 13 months of user interaction data, and it’s one of the most consequential ranking systems Google operates.

Sites that artificially inflate session duration and page depth by trapping users in a content loop are gaming the same metrics Google uses to decide whether a page deserves to rank well. So Google’s enforcement here is protecting the integrity of a ranking signal as much as it’s protecting users from a frustrating experience.

From what I’ve seen in the patterns around core updates, sites that combine aggressive advertising with back button manipulation tend to get hit harder than sites running only one of those tactics. The behaviors compound. Google seems to treat the combination as a stronger negative signal than either problem alone, and honestly, that tracks with how users experience it too. Getting trapped on an ad-heavy page feels a lot worse than getting trapped on a clean one.

This connects to what we covered in our breakdown of how Google ranking actually works under the hood. Navboost is not a minor side signal. It’s central to how Google evaluates whether a page delivered what the user wanted. Anything that distorts those engagement metrics is, from Google’s perspective, spam.

The vague definition nobody is talking about

The policy targets sites that prevent users from “immediately” returning to the previous page. Seems clear. In practice, it opens up gray areas that are going to create real problems for sites that aren’t intentionally gaming anything.

Exit-intent overlays. Google’s John Mueller said previously that what happens when a user tries to leave a site “is kind of between you and the user.” Exit-intent popups fire when the cursor moves toward the browser chrome, and they don’t manipulate browser history. They overlay content on the current page. Technically, the back button still works fine underneath.

I think most exit-intent implementations are safe under this policy. But some are borderline. A full-screen interstitial that fires specifically on back-button press (not cursor movement) and takes two or three clicks to dismiss? That’s arguably interfering with navigation even without history manipulation. The policy language is broad enough to capture it.

Single-page applications. Modern SPAs use history.pushState() constantly, for entirely legitimate reasons. Every time a user navigates within a React, Vue, or Angular app, the browser history gets a new entry. That’s how the back button is supposed to work in SPAs. The difference between “app manages its own navigation history” and “app manipulates history to prevent leaving” is a distinction that lives in intent, not in code. I expect Google will handle this with common sense, but common sense and automated spam detection don’t always overlap perfectly.

Third-party ad scripts. This is the one that concerns me most. Google acknowledged that some back button hijacking originates from third-party advertising platforms or libraries. They also said site owners are responsible for auditing their integrated code. Fair in principle. The practical reality for a publisher running half a dozen ad networks is that any one of those scripts could be injecting history entries, and most publishers genuinely do not know what their ad code does at the browser level.

A Mozilla discussion on back button interventions captured the difficulty well: browser vendors themselves have been trying to draw a clean line between legitimate and malicious history manipulation for years. They haven’t solved it either.

I’d estimate roughly 15-20% of mid-size publishers running aggressive ad configurations have at least one script that violates this policy and don’t know it yet. That’s not a researched number, to be honest. It’s a gut read based on how many ad-heavy sites I’ve tested where the back button does something unexpected.

The 60-day audit you probably need to run

If you run any content site with display advertising, here is what I’d do before June 15.

Open Chrome DevTools on your site. Navigate to a page from Google (or simulate it). Click the back button. If you end up anywhere other than where you came from, you have a problem.

For a more systematic check: search your codebase and all loaded third-party scripts for history.pushState, history.replaceState, and popstate event listeners. Any script that calls pushState without corresponding to a genuine user-initiated navigation is worth investigating.

The benchmark I’d use: if a visitor arrives from Google, views one page, and has to click the back button more than once to return to the search results, you’re in violation territory. Once is reasonable (the page they visited). Twice means something added a history entry it shouldn’t have.

For publishers who know they have complex ad configurations but aren’t sure which scripts are responsible: run your site through a fresh browser profile with zero extensions, arrive via a Google search, and try to leave. Record the session. If you can’t get back to Google in one click, start disabling ad scripts one at a time until you find which one is adding phantom history entries.

This is not a difficult audit. It just requires someone to actually do it, which, based on how most publisher ad stacks are managed, probably hasn’t happened in a while.

The wrong sites will get caught first

The obvious back button hijackers, the made-for-advertising sites running Discover arbitrage, will strip the offending scripts before June 15 and move on. They always adapt. This policy will not slow them down for more than a week.

The sites that actually get manual actions will be the mid-tier publishers who don’t realize their ad stack includes a script that injects history entries. The ones who outsourced ad implementation to a partner they haven’t audited since 2023. The ones whose developer left and nobody fully understands the JavaScript running on every page load.

I don’t think Google set a specific enforcement date because back button hijacking suddenly got worse. I think they set a date because the informal guidance from 2013 wasn’t working, and making it a real policy category with real consequences was the only way to force the behavior change. Fair enough. But two months is tight if your site runs significant third-party code. Probably not enough time for a publisher juggling 10 or more ad partners to audit every script, test every configuration, and renegotiate with any vendor whose code is the problem.

The deadline exists now, though. And “I didn’t know my ad code was doing that” is not something you want to type into a reconsideration request.

By Notice Me Senpai Editorial

Read next