- From: kenny heaton <kennyheaton@gmail.com>
- Date: Thu, 24 Nov 2005 13:27:22 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapi@w3.org
> > The document.save method has the added risk that someone could put > > URI's in the history to pages the user never visited and dose not want > > to visit without them knowing. > > I am not sure this is a security risk; could you expand on this? What I meant was that a user could visit a page and unknowingly the developer of that page could them put any other URL in there history, so when they press the back button, instead of going to where they were (where they expect and wanted to go) there sent to some gimmicky marketing page for a product they don't want, or a porn site or who knows where. This is my underlining concern with messing with the users history, is how will it be abused and frustrate users? My concern with pushState is the lack of ability to bookmark pages, Ian said: "Yeah, one of the suggestions being considered for pushState() is the ability to also associate a URI with the state so that it can be bookmarked." How would this work, would the browser have to keep the object passed into pushState saved somewhere so when that URL was visited again, it could be retrieved? Wouldn't it be easier to save information in the URL itself in the query string? Could you pass a collection of name value pairs that would be added to the existing URL as the query string so the page could be bookmarked and placed in history and re-created any time it is needed? I guess instead of saving an object in cash it just saves name value pairs in the URL, and it becomes easier to retrieve, and the developer wouldn't be able to write the actual address of the page preventing my concern above. Kenny
Received on Thursday, 24 November 2005 21:27:46 UTC