Re: [whatwg] Navigation and history traversal issues from Andrew Oakley on 2013-08-22 (public-whatwg-archive@w3.org from August 2013)

From: Andrew Oakley <andrew@ado.is-a-geek.net>
Date: Thu, 22 Aug 2013 13:31:02 +0100
To: Ian Hickson <ian@hixie.ch>
Cc: WHAT Working Group <whatwg@whatwg.org>
Message-ID: <52160486.4040908@ado.is-a-geek.net>

On 19/09/12 01:18, Ian Hickson wrote:
> I've changed the spec so that traversing the history by a delta
> always cancels any pending navigations unless you're in the middle of
> an unload, in which case it just aborts the algorithm entirely.
> 
> I've also made back()/forward()/go() not work during the document's
> unload handler, since that could be used for griefing. I'm tempted to
> disable it entirely for all docs a la alert(), but I've no idea if
> that's Web- compatible and I suspect not.

I assume this is where steps 3 and 4 of the "traverse the history by a
delta" algorithm came from.

It's not clear from the spec which browsing context and document these
steps refer to.  Is it the "specified browsing context" and the active
document of that context (I think that makes most sense)?

Additionally it isn't clear which event loop the task should be
associated with.

> Aah, ok. The spec already says that's not allowed. You can't get to
> the History object of a cross-origin Window:
> 
> http://www.whatwg.org/specs/web-apps/current-work/#security-window
> 
> (I forget what the story is if you get a History object from a
> same-origin Window, then have the browsing context navigated, then
> use the History object you kept around... I expect it is supposed to
> work much as if you were to call it on the new, cross-origin, History
> object, though.)

The implication here as that you should never be able to do a history
traversal of a browsing context that is not same origin (and so there is
only one event loop to choose from).  The "story" about keeping history
objects around seems does not seem to be specified anywhere (so the
assumption was that it should work as normal).

It looks like some browsers don't let you use history objects you kept
around (they should probably throw an InvalidStateError), others let you
use them if the current document of the relevant browsing context is
same-origin (and should probably throw a SecurityError).

It's rather awkward to test this, but can we have something in the spec
to prevent cross-origin history traversal?  If this is not in the same
section as the "traverse the history by a delta" algorithm can we have a
note to say that this can never happen cross-origin?

Thanks

-- 
Andrew Oakley

Received on Thursday, 22 August 2013 12:31:32 UTC