W3C home > Mailing lists > Public > public-webapi@w3.org > November 2005

Re: Ajax Back/Forward History problem document state by document.save()

From: L. David Baron <dbaron@dbaron.org>
Date: Mon, 21 Nov 2005 16:10:49 -0800
To: public-webapi@w3.org
Message-ID: <20051122001049.GA31954@ridley.dbaron.org>
On Monday 2005-11-21 07:44 -0800, Kenny wrote:
> I have to agree with Sylvain, that I think users would evolve as web
> application do and the need for that back button might become
> unnecessary. Of course in the mean time there should be something to
> help the who still want to use the back button, but as fast as Ajax is
> growing, users may evolve before new technology can be implemented.

I disagree here:  link navigation is fundamental to the Web, and I don't
think the back and forward buttons will or should become obsolete.

> My big concern with both document.save and pushState is security. The
> pushState method has a recommendation for security, "It is suggested
> that to avoid letting a page "hijack" the history navigation
> facilities of a UA by abusing pushState(), the UA provide the user
> with a way to jump back to the previous page (rather than just going
> back to the previous state).", but if this is not implemented,
> malicious developers could take control of the users navigation.

I think a better solution than extra user interface is a solution like
what popup blocking uses:  pushState (like window.open these days)
should only be allowed while handling a user event like a click or a
keypress that expresses the user's choice to navigate to a different
state (like navigating to a different page).

-David

-- 
L. David Baron                                <URL: http://dbaron.org/ >
           Technical Lead, Layout & CSS, Mozilla Corporation

Received on Tuesday, 22 November 2005 00:11:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:52 GMT