[whatwg] Better model for avoiding history spam from pushState?

L. David Baron dbaron at dbaron.org
Mon Nov 21 16:13:41 PST 2005

In http://lists.w3.org/Archives/Public/public-webapi/2005Nov/0017 , I
wrote a comment on a WHATWG spec,
http://whatwg.org/specs/web-apps/current-work/#scs-session , which I
quote here:

> On Monday 2005-11-21 07:44 -0800, Kenny wrote:
> > My big concern with both document.save and pushState is security. The
> > pushState method has a recommendation for security, "It is suggested
> > that to avoid letting a page "hijack" the history navigation
> > facilities of a UA by abusing pushState(), the UA provide the user
> > with a way to jump back to the previous page (rather than just going
> > back to the previous state).", but if this is not implemented,
> > malicious developers could take control of the users navigation.
> I think a better solution than extra user interface is a solution like
> what popup blocking uses:  pushState (like window.open these days)
> should only be allowed while handling a user event like a click or a
> keypress that expresses the user's choice to navigate to a different
> state (like navigating to a different page).


L. David Baron                                <URL: http://dbaron.org/ >
           Technical Lead, Layout & CSS, Mozilla Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20051121/7db03b03/attachment-0001.pgp>

More information about the whatwg mailing list