[whatwg] Navigation and history traversal issues

Ian Hickson ian at hixie.ch
Tue Sep 18 20:01:24 PDT 2012


On Tue, 18 Sep 2012, Justin Lebar wrote:
>
> This is all great; thanks for the quick turnaround!
> 
> > I've also made back()/forward()/go() not work during the document's 
> > unload handler, since that could be used for griefing. I'm tempted to 
> > disable it entirely for all docs a la alert(), but I've no idea if 
> > that's Web- compatible and I suspect not.
> 
> I don't know what you mean by the last sentence here.  In my tests, IE 
> and Opera do not support cross-origin back/forward/go, if that's what 
> you mean.  I don't see any good reason for us to support that in 
> Firefox, either, if we could get away with removing it.

I meant blocking all scripted back/forward session history traversal while 
any page is running the unload algorithms.

As far as cross-origin back/forward, there are 404 pages on the Web that 
have javascript:history.back() links; these would break for cross-origin 
links if we blocked cross-origin history traversal. I don't really see 
much point. What's the security risk?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list