[whatwg] "first script" and impersonating other pages - pushState(url)

Mike Wilson mikewse at hotmail.com
Thu Sep 3 06:27:38 PDT 2009


Ian Hickson wrote:
> 
> On Mon, 31 Aug 2009, Mike Wilson wrote:
> > 
> > Ian Hickson wrote:
> > >
> > > On Fri, 21 Aug 2009, Mike Wilson wrote:
> > > >
> > > > [...]
> > > > Imagine that I want my loaded page:
> > > >   /pages/section1/thing1
> > > > be able to impersonate:
> > > >   /pages/section2/thing2
> > > > how do you envision this to be structured? 
> > > > 
> > > > Something like this? :
> > > > 
> > > >   /pages/section1/thing1:
> > > >     <script src="/pages/script.js">
> > > >     <button onclick="impersonate();">
> > > > 
> > > >   /pages/script.js:
> > > >     function impersonate() {
> > > >       ...pushState(..., "/pages/section2/thing2");
> > > >     }
> > > 
> > > That would do it, yes.
> > 
> > [...] wouldn't the first script
> > (corresponding to the button click) be the implicitly 
> > generated event handler in:
> >   /pages/section1/thing1
> > with a basedir of
> >   /pages/section1
> > thereby making the call to:
> >   ...pushState(..., "/pages/section2/thing2");
> > throw SECURITY_ERR in step 2.2 of the pushState
> > algorithm?
> 
> No, why?

Because I was interpreting the following from the spec
and your previous mail:
- clicking the <button> will trigger the anonymous
  event handler in /pages/section1/thing1 and will 
  result in activating a first script with 
  basedir=/pages/section1
- when the anonymous event handler calls into the
  impersonate() function defined in /pages/script.js
  the initial script (and basedir) remains as "first 
  script" and does not activate basedir=/pages
- calling pushState(..., "/pages/section1/thing2") when
  first script's basedir=/pages/section1 will be ok
- calling pushState(..., "/pages/section2/thing2") when
  first script's basedir=/pages/section1 will not be 
  allowed (and throw).

Is any of these wrong?

Best regards
Mike




More information about the whatwg mailing list