W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2014

Re: [whatwg] Modifying the URL inside beforeunload event

From: cowwoc <cowwoc@bbs.darktech.org>
Date: Tue, 04 Nov 2014 09:34:53 -0500
Message-ID: <5458E40D.4020801@bbs.darktech.org>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: WHATWG <whatwg@whatwg.org>
Hi Michal,

I'm relatively new to this mailing list. How do proposals make their way 
to action items here?

Thanks,
Gili

On 02/11/2014 4:53 PM, Michal Zalewski wrote:
> It's probably OK to replace the URL of the previous page if it
> otherwise doesn't interfere with the ongoing navigation. The old
> attacks predated the pushState / replaceStates API altogether.
>
> /mz
>
> On Sun, Nov 2, 2014 at 1:43 PM, cowwoc <cowwoc@bbs.darktech.org> wrote:
>> On 02/11/2014 12:28 PM, Michal Zalewski wrote:
>>>> I believe I have a legitimate use-case (described in comment #9) for
>>>> needing
>>>> to change the URL in "beforeunload".
>>> I am probably at least partly to blame for the browsers not letting
>>> you do that - I reported several onbeforeunload attacks some 8 years
>>> ago. Sorry!:-)
>>>
>>> In general, there is a security-driven desire to prevent a website
>>> from "trapping" visitors and not allowing them to navigate away. This
>>> not just a matter of nuisance attacks, but when employed in a clever
>>> way, can be a powerful tool for phishing if you can convince the user
>>> to type in a known URL and then spoof the page transition.
>>>
>>> If we end up allowing navigation to be aborted or modified from within
>>> unload-related events, we need to keep that in mind.
>>>
>>> /mz
>>
>> Hi Michal,
>>
>> I had a feeling this was security related :)
>>
>> Correct me if I'm wrong, but don't the attacks you mentioned rely upon
>> access to history.back()/forward()? Would it be safe to allow
>> history.replaceState() while forbidding the other two? Meaning, we would
>> allow a page to rewrite its own address but not other pages' addresses.
>>
>> Gili
Received on Tuesday, 4 November 2014 14:35:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:32 UTC