[whatwg] Better model for avoiding history spam from pushState?
L. David Baron
dbaron at dbaron.org
Mon Nov 21 16:13:41 PST 2005
In http://lists.w3.org/Archives/Public/public-webapi/2005Nov/0017 , I
wrote a comment on a WHATWG spec,
http://whatwg.org/specs/web-apps/current-work/#scs-session , which I
quote here:
> On Monday 2005-11-21 07:44 -0800, Kenny wrote:
[...]
> > My big concern with both document.save and pushState is security. The
> > pushState method has a recommendation for security, "It is suggested
> > that to avoid letting a page "hijack" the history navigation
> > facilities of a UA by abusing pushState(), the UA provide the user
> > with a way to jump back to the previous page (rather than just going
> > back to the previous state).", but if this is not implemented,
> > malicious developers could take control of the users navigation.
>
> I think a better solution than extra user interface is a solution like
> what popup blocking uses: pushState (like window.open these days)
> should only be allowed while handling a user event like a click or a
> keypress that expresses the user's choice to navigate to a different
> state (like navigating to a different page).
-David
--
L. David Baron <URL: http://dbaron.org/ >
Technical Lead, Layout & CSS, Mozilla Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20051121/7db03b03/attachment-0001.pgp>
More information about the whatwg
mailing list