W3C home > Mailing lists > Public > public-webapi@w3.org > November 2005

Re: Ajax Back/Forward History problem document state by document.save()

From: kenny heaton <kennyheaton@gmail.com>
Date: Thu, 24 Nov 2005 13:27:22 -0800
Message-ID: <65b4e01f0511241327v54473b86qa8b98603d4fab923@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapi@w3.org

> > The document.save method has the added risk that someone could put
> > URI's in the history to pages the user never visited and dose not want
> > to visit without them knowing.
>
> I am not sure this is a security risk; could you expand on this?

What I meant was that a user could visit a page and unknowingly the
developer of that page could them put any other URL in there history,
so when they press the back button, instead of going to where they
were (where they expect and wanted to go) there sent to some gimmicky
marketing page for a product they don't want, or a porn site or who
knows where. This is my underlining concern with messing with the
users history, is how will it be abused and frustrate users?

My concern with pushState is the lack of ability to bookmark pages,
Ian said: "Yeah, one of the suggestions being considered for
pushState() is the ability to also associate a URI with the state so
that it can be bookmarked." How would this work, would the browser
have to keep the object passed into pushState saved somewhere so when
that URL was visited again, it could be retrieved? Wouldn't it be
easier to save information in the URL itself in the query string?
Could you pass a collection of name value pairs that would be added to
the existing URL as the query string so the page could be bookmarked
and placed in history and re-created any time it is needed? I guess
instead of saving an object in cash it just saves name value pairs in
the URL, and it becomes easier to retrieve, and the developer wouldn't
be able to write the actual address of the page preventing my concern
above.

Kenny
Received on Thursday, 24 November 2005 21:27:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:52 GMT