- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 19 Sep 2012 03:01:24 +0000 (UTC)
- To: Justin Lebar <justin.lebar@gmail.com>
- Cc: WHAT Working Group <whatwg@whatwg.org>
On Tue, 18 Sep 2012, Justin Lebar wrote: > > This is all great; thanks for the quick turnaround! > > > I've also made back()/forward()/go() not work during the document's > > unload handler, since that could be used for griefing. I'm tempted to > > disable it entirely for all docs a la alert(), but I've no idea if > > that's Web- compatible and I suspect not. > > I don't know what you mean by the last sentence here. In my tests, IE > and Opera do not support cross-origin back/forward/go, if that's what > you mean. I don't see any good reason for us to support that in > Firefox, either, if we could get away with removing it. I meant blocking all scripted back/forward session history traversal while any page is running the unload algorithms. As far as cross-origin back/forward, there are 404 pages on the Web that have javascript:history.back() links; these would break for cross-origin links if we blocked cross-origin history traversal. I don't really see much point. What's the security risk? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 19 September 2012 03:01:51 UTC