Stealth Redirection: How to Do It, and Why You Shouldn't

I used to get asked this question a lot when I was working customer support at a web presence provider in Arizona. I also see it a lot on the HTML newsgroups.

How do I forward browsers from my domain to my other web site without changing the address shown in the address bar?

I hate that question. It's an example of everything that's wrong with the Web today. People asking this question are asking for one of two reasons: Either they're cheapskates wanting to redirect their bargin-priced domain to an account on a free server, or they're aspiring search-engine spammers trying to fill multiple domains with the same site.

I usually try to talk them out of it:

Don't do that. It's not going to accomplish what you want, and it's bad for users.

Why do I tell them that? Because what they want is bad design, and it isn't going to accomplish what they want. (What? You thought I might be lying to people? Shame on you, you cynic.)

The "trick" these people are asking me about is actually pretty simple (if you understand HTML), yet it remains shrouded in mystery and confusion. Part of the problem is that the "trick" is an accidental feature of HTML, so it doesn't have an official name. Instead, it's acquired several vague and confusing names like "stealth redirection", "masking", and "cloaked forwarding". From what I can tell, "stealth redirection" is the most common term, so that's what we're going to use for the rest of this discussion.

The other reason for the mystery is that a lot of web hosting companies, marketers and search-engine optimizers think stealth redirection is some sort of trade secret, so they won't tell their customers what's involved with stealth redirection, or why it might be a bad idea. I think most of the things that web marketers think are pretty strange, but keeping a couple lines of HTML secret is ridiculous. I'm definitely not going to put up with that.

So, in an effort to cut through the bullshit once and for all, I'm telling the world why it shouldn't use stealth redirection, and how to do stealth redirection.

Why You Shouldn't

As I hinted earlier, there are two basic reasons that stealth redirection is a bad idea. It's bad for the person doing the redirecting, because it doesn't accomplish everything the redirector thinks it does. It's bad for the people being redirected, because it makes the web harder to use.

Bad for You

Again, as I hinted earlier, web authors considering using stealth redirection fall into one of two camps: Penny-pinchers who've acquired an inexpensive domain at one hosting company, but host their webpages at a cheaper company, and Spammers who want to give one site as many domain names as possible.

Both types of authors are expecting a new domain to change how search engines see their websites, but they expect completely opposite outcomes: The cheapskate just wants the domain name to replace his old address, while the spammer wants the same content indexed under as many domain names as possible. Neither one of these authors is going to get what s/he wants.

Search engines don't like framed pages (because they're users, after a fashion, and frames aren't good for users). Frames "break the web" by taking multiple resources (pages) and obscuring their address. Search engines are all about finding out the addresses of things, so they're not designed to look at frames the way humans do. (Also, search engines don't really have eyes.)

There are two possible outcomes when a search engine tries to index a web page containing frames:

  1. The "stupid" smart engines won't be able to read the FRAME element (which points to the pages containing the real content), and the search engine won't index anything except the page doing the framing. Stupid search engines won't find the site they're supposed to be forwarded to.
  2. The "smart" search engines will be able to read the FRAME element, will be forwarded to the other site, and will index the other site using the other site's address. Smart search engines won't be fooled by stealth redirection.

So there you have it. Stealth redirection isn't going to full any search engine that doesn't agree to be fooled. You'll either be hiding all your pages from the engines, or showing them you're real address. If you really want your site's content indexed under your domain name, you should give up and get a better hosting account.

Bad for Them

Now that you know what you're doing to yourself if you use stealth redirection, it's time to learn what you're doing to the users of your website. These problems aren't unique to stealth redirection; they occur every time you use frames.

  1. You're breaking their bookmarks. Think about it for a minute. If the same address is appearing for every page in your site, the users' browsers are going to think every page has the same address. If they try to bookmark a page deep inside your site, the browser is going to think they've bookmarked the top page. You're forcing users to renavigate through your site everytime they follow a bookmark. They're not going to like that.
  2. You're silencing word of mouth. If users can't identify the URL of pages they like, it's harder for them to share the site with their friends. They can't e-mail an address they can't see.
  3. You're preventing them from saving a copy. If a user sees a page on your site worth saving to his hard drive, his browser may save the wrong files.
  4. You're swallowing the rest of the web. Unless you code your HTML extra-carefully, the address-obscuring effects of stealth redirection won't end at your website: links to other sites will enclose those sites in your frameset, hiding those sites addresses, too. This can hurt you both ways: Your users get confused and think you're responsible for sites that aren't yours, while the owners of those other sites might think you're trying to take credit for their work. If you're not careful, you get everybody angry at you.

Frames, in general, are just bad information architecture. The Web is a hypertext system, and good hypertext systems require every resource to have a unique address. When you obscure addresses with frames, you're breaking the web.

You think I'm being harsh? Look how long Arnoud "Galactus" Engelfriet goes on about FRAME.

How It's Done

This is usually the point where cheapskates decide they need to think about the issues some more, and leave me alone. It's also the point where aspiring spammers get all pissy and demand I stop the moral lecturing and tell them how to do it. I hate the spammers, but I also hate that some web hosting companies try to turn two lines of HTML into a trade secret, so I'm going to tell you anyway.

So, go ahead. Break your browser, ruin the web, destroy hypertext as we know it. See if I care. There's a special place in Hell for people like you.

The "trick" is all too simple: Make a FRAMESET with only one FRAME, and set your attributes wrong. It'll look like this:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<title>Stealth Redirect Example</title>
<head>
<frameset rows="100%,*" border="0" frameborder="0" framespacing="0">
<frame src="http://example.com/" frameborder="0">
</frameset>
<noframe>
<body>
<p>This is where you apologize for being a idiot who uses frames.</p>
</body>
</noframes>
</html>

What's going on here? It's pretty simple, actually. Normally, a FRAMESET element contains two or more FRAME elements. Each FRAME tells the browser the location of the file to display. For stealth redirection, we only designate one frame (pointing to the site listed in the src attribute), and use the value of the rows attribute to blow that frame up to fill the whole frameset.

By the way, this demonstration isn't valid HTML, because FRAMESET doesn't have a frameborder attribute in the HTML 4.0 DTD. (That's also why I used the minimized DOCTYPE declaration; it would be inaccurate to point to an URL that doesn't describe the markup I'm using.) Unfortunately, you need it for backwards-compatibility with older versions of Navigator and Explorer.

If you don't want external links to appear in your frameset, you have to alter every hyperlink to an external URL by adding a target attribute. You have two choices:

<a href="http://www.example.com/" target="_top">example.com</a>

will make example.com replace your site in the browser window, displaying example.com's URL.

<a href="http://www.example.com/" target="_blank">example.com</a>

will make example.com appear in a new browser window.

[an error occurred while processing this directive]