W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2012

Re: [whatwg] Navigation and history traversal issues

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 19 Sep 2012 03:01:24 +0000 (UTC)
To: Justin Lebar <justin.lebar@gmail.com>
Message-ID: <Pine.LNX.4.64.1209190259220.1904@ps20323.dreamhostps.com>
Cc: WHAT Working Group <whatwg@whatwg.org>
On Tue, 18 Sep 2012, Justin Lebar wrote:
>
> This is all great; thanks for the quick turnaround!
> 
> > I've also made back()/forward()/go() not work during the document's 
> > unload handler, since that could be used for griefing. I'm tempted to 
> > disable it entirely for all docs a la alert(), but I've no idea if 
> > that's Web- compatible and I suspect not.
> 
> I don't know what you mean by the last sentence here.  In my tests, IE 
> and Opera do not support cross-origin back/forward/go, if that's what 
> you mean.  I don't see any good reason for us to support that in 
> Firefox, either, if we could get away with removing it.

I meant blocking all scripted back/forward session history traversal while 
any page is running the unload algorithms.

As far as cross-origin back/forward, there are 404 pages on the Web that 
have javascript:history.back() links; these would break for cross-origin 
links if we blocked cross-origin history traversal. I don't really see 
much point. What's the security risk?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 19 September 2012 03:01:51 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:45 UTC