W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2014

Re: [whatwg] Modifying the URL inside beforeunload event

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 2 Nov 2014 09:28:01 -0800
Message-ID: <CALx_OUAeZMrQqfRWPt_+fLw+4O7mVyvbdkuZj9Vyxs1kOQNLNg@mail.gmail.com>
To: cowwoc <cowwoc@bbs.darktech.org>
Cc: WHATWG <whatwg@whatwg.org>
> I believe I have a legitimate use-case (described in comment #9) for needing
> to change the URL in "beforeunload".

I am probably at least partly to blame for the browsers not letting
you do that - I reported several onbeforeunload attacks some 8 years
ago. Sorry!:-)

In general, there is a security-driven desire to prevent a website
from "trapping" visitors and not allowing them to navigate away. This
not just a matter of nuisance attacks, but when employed in a clever
way, can be a powerful tool for phishing if you can convince the user
to type in a known URL and then spoof the page transition.

If we end up allowing navigation to be aborted or modified from within
unload-related events, we need to keep that in mind.

/mz
Received on Sunday, 2 November 2014 17:28:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:32 UTC