- From: ROBO Design <robodesign@gmail.com>
- Date: Fri, 25 Nov 2005 23:03:35 +0200
- To: "Ian Hickson" <ian@hixie.ch>, public-webapi@w3.org
On Fri, 25 Nov 2005 22:10:12 +0200, Ian Hickson <ian@hixie.ch> wrote: > The real question is can you use document.save() for evil in a way that > is > more serious than the way you can use those other features for evil. True. This is why I propose that pushState() to allow an URL as an argument, so it can behave in the same way as save() was suggested previously, but with a twist: some strict rules to as which URLs the author can use in the argument. Not a big twist, but it's something. For example, the author of http://www.example.com/test.htm should not be allowed to insert in history a page from another TLD, domain or even subdomain. Now a malicious web developer can still do bad things, like: flood the history. Yet, AFAIK, flooding/borking/braking the back button can be done with pushState() as currently defined, so not a big difference (or is it?). This is a problem similar to the alert() flood. Yet, the problem can be solved in the following way by UAs: block (or ask the user for confirmation) after a number of X pushed URLs in history by a page. This is something that can be applied to alert(s) too, yet in that case showing a checkbox can also be used (like in the good old Opera 6). There's a real and important need to associate a bookmarkable URL with a pushState(), or separately ... with something new like the proposed save(). -- http://www.robodesign.ro ROBO Design - We bring you the future
Received on Friday, 25 November 2005 20:59:07 UTC