W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2012

Re: [whatwg] Navigation and history traversal issues

From: Justin Lebar <justin.lebar@gmail.com>
Date: Tue, 18 Sep 2012 23:09:02 -0400
Message-ID: <CAFWcpZ7O19rh8QWsYQh7e3BjU+tJoNzEqp2S7bH0D36UJtzcug@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: WHAT Working Group <whatwg@whatwg.org>
>> > I've also made back()/forward()/go() not work during the document's
>> > unload handler, since that could be used for griefing. I'm tempted to
>> > disable it entirely for all docs a la alert(), but I've no idea if
>> > that's Web- compatible and I suspect not.
>> I don't know what you mean by the last sentence here.  In my tests, IE
>> and Opera do not support cross-origin back/forward/go, if that's what
>> you mean.  I don't see any good reason for us to support that in
>> Firefox, either, if we could get away with removing it.
> I meant blocking all scripted back/forward session history traversal while
> any page is running the unload algorithms.

Ah, I see.  I don't have any idea if that's a good idea or not, so, okay.  :)

> As far as cross-origin back/forward, there are 404 pages on the Web that
> have javascript:history.back() links; these would break for cross-origin
> links if we blocked cross-origin history traversal. I don't really see
> much point. What's the security risk?

The issue isn't a history.back() which crosses origins -- that seems
fine -- but rather calling history.back() on a cross-origin window.
(Sorry that wasn't clear.)

It's not clear that this poses a security risk (otherwise, I'm sure
we'd have removed it by now), aside from making it easier to tickle
Firefox into buggy states like this bug [1].  But it's also not clear
to me what benefit there is to being able to call back() on an
arbitrary window.

I guess I can navigate a window, so I might as well be able to make it
go back?  But those aren't quite the same thing.


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=737307
Received on Wednesday, 19 September 2012 03:09:50 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:45 UTC