W3C home > Mailing lists > Public > public-webapi@w3.org > November 2005

Re: Ajax Back/Forward History problem document state by document.save()

From: ROBO Design <robodesign@gmail.com>
Date: Fri, 25 Nov 2005 23:03:35 +0200
To: "Ian Hickson" <ian@hixie.ch>, public-webapi@w3.org
Message-ID: <op.s0td39dbmapogm@duron.mshome.net>

On Fri, 25 Nov 2005 22:10:12 +0200, Ian Hickson <ian@hixie.ch> wrote:

> The real question is can you use document.save() for evil in a way that  
> is
> more serious than the way you can use those other features for evil.

True. This is why I propose that pushState() to allow an URL as an  
argument, so it can behave in the same way as save() was suggested  
previously, but with a twist: some strict rules to as which URLs the  
author can use in the argument. Not a big twist, but it's something.

For example, the author of http://www.example.com/test.htm should not be  
allowed to insert in history a page from another TLD, domain or even  
subdomain.

Now a malicious web developer can still do bad things, like: flood the  
history. Yet, AFAIK, flooding/borking/braking the back button can be done  
with pushState() as currently defined, so not a big difference (or is  
it?). This is a problem similar to the alert() flood.

Yet, the problem can be solved in the following way by UAs: block (or ask  
the user for confirmation) after a number of X pushed URLs in history by a  
page. This is something that can be applied to alert(s) too, yet in that  
case showing a checkbox can also be used (like in the good old Opera 6).

There's a real and important need to associate a bookmarkable URL with a  
pushState(), or separately ... with something new like the proposed save().

-- 
http://www.robodesign.ro
ROBO Design - We bring you the future
Received on Friday, 25 November 2005 20:59:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:52 GMT