[whatwg] Navigation and history traversal issues
Ian Hickson
ian at hixie.ch
Tue Sep 18 20:01:24 PDT 2012
On Tue, 18 Sep 2012, Justin Lebar wrote:
>
> This is all great; thanks for the quick turnaround!
>
> > I've also made back()/forward()/go() not work during the document's
> > unload handler, since that could be used for griefing. I'm tempted to
> > disable it entirely for all docs a la alert(), but I've no idea if
> > that's Web- compatible and I suspect not.
>
> I don't know what you mean by the last sentence here. In my tests, IE
> and Opera do not support cross-origin back/forward/go, if that's what
> you mean. I don't see any good reason for us to support that in
> Firefox, either, if we could get away with removing it.
I meant blocking all scripted back/forward session history traversal while
any page is running the unload algorithms.
As far as cross-origin back/forward, there are 404 pages on the Web that
have javascript:history.back() links; these would break for cross-origin
links if we blocked cross-origin history traversal. I don't really see
much point. What's the security risk?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list