<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Sebastian,<div>The same-origin is pretty clearly specified, I've included the excerpt from the spec below. Your suggestion for clarity on updating Location fields in the the UI would be a part of step five in the description of pushState in section 6.10.2 is a good one. Ian, I feel like this counts as a possible action item.</div><div>Nathan</div><div><br></div><div>***</div><div><br></div><div>Possible Action Items</div><div>1. Clarify how the user agent uses the calculated location value from the pushState description step 2 in section 6.10.2 in terms of being reflected in the Location object.</div><div><br></div><div>It is my opinion that this URL should be reflected in the Location value. This would imply that it would be reflected in the location bar of user agents that have this as part of their UI. It seems that the place to include this clarification would be the pushState description step 5 in section 6.10.2</div><div><br></div><div>2. Clarify that pushState() does not cause navigation.</div><div><br></div><div>I read the spec quite a few times and still got this wrong, apparently. Making this completely clear would not hurt.</div><div><br></div><div><br></div><div>***</div><div><br></div><div>If a third argument is specified, run these substeps:</div><div><div> <div>1. Resolve the value of the
third argument, relative to the first script's base URL.</div> <div>2. If that fails, raise a SECURITY_ERR exception and
abort the pushState()
steps.</div> <div>3. Compare the resulting absolute URL to the
document's address. If any part of these two URLs differ other than the <path>, <query>, and <fragment> components, then
raise a SECURITY_ERR exception and abort the pushState() steps.</div><p align="">For the purposes of the comparison in the above substeps, the
<path> and <query> components can only be the
same if the URLs use a hierarchical <scheme>.</p></div></div><div><br><div><div>On Jul 30, 2009, at 10:27 AM, Sebastian Markbåge wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Jonas,</div><div><br></div><div>That is my interpretation too. But I think it's a little unclear whether that means that the UA should update any Location fields in the UI. I understand that this may be optional or outside the scope, but I think that it should still be mentioned.</div> <div><br></div><div>Now if the UA is suppose to update the Location field, shouldn't push state URL be subject to same-domain policies? Is that defined clearly?</div><div><br></div><div>Otherwise, this can be used during phishing attacks.</div> <div><br></div><div>Sebastian</div><div><br></div><div class="gmail_quote">On Thu, Jul 30, 2009 at 4:13 PM, Nathan Hammond <span dir="ltr"><<a href="mailto:nathan@nathanhammond.com">nathan@nathanhammond.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hey Jonas et al.:<br> Thanks for the reply, forgive my disbelief on Clarification 1. :) If I'm completely with you, that is entirely unexpected on my part (and I've read this part of the spec a few times). Is this to imply that, no matter what the arguments to pushState(), if the path is relative to the current URL there will be no request for a new document and no user-agent initiated network activity?<br> <br> This is a behavior I'm fine with and will meet my needs just as well, I was simply expecting to have to use the approach from Clarification 2 in order to retain my document object. It does however lend itself to some confusion when paired with user agents that don't yet support the history portions of the spec as they will have to be handled with hash-based addressing while those that support pushState() will have more sane URLs--but that is no matter in the grand scheme of things.<br> <br> Also, that would imply that the popstate only fires when you're navigating through history. Is that correct?<br> <br> Thanks!<br><font color="#888888"> Nathan</font><div><div></div><div class="h5"><br> <br> On Jul 30, 2009, at 4:42 AM, Jonas Sicking wrote:<br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Wed, Jul 29, 2009 at 7:38 PM, Nathan Hammond<<a href="mailto:nathan@nathanhammond.com" target="_blank">nathan@nathanhammond.com</a>> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Clarifications<br> 1. window.history.pushState({}, "Title",<br> "/path/to/new/file.html?s=newvalue#newhash") replaces the current document<br> object with the one specified by the new URL. It then causes the event<br> popstate to fire immediately after the load event, correct?<br> </blockquote> <br> No. The above line with change the uri of the existing document to be<br> "<a href="http://example.com/path/to/new/file.html?s=newvalue#newhash" target="_blank">http://example.com/path/to/new/file.html?s=newvalue#newhash</a>" (with<br> the part before 'path' obviously depending on where the original page<br> lives).<br> <br> So no network activity takes place and the Document node remains the<br> same. Also no popstate event is fired.<br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2. window.history.pushState({}, "Title", "#newhash") creates a new history<br> state object with the specified data object, the specified title, the same<br> document object, and a location object that replaces the existing hash with<br> "#newhash", correct?<br> </blockquote> <br> Yes.<br> <br> / Jonas<br> </blockquote> <br> </div></div></blockquote></div><br></blockquote></div><br></div></body></html>