[whatwg] Navigation and history traversal issues
ian at hixie.ch
Wed Sep 25 16:23:36 PDT 2013
On Thu, 22 Aug 2013, Andrew Oakley wrote:
> On 19/09/12 01:18, Ian Hickson wrote:
> > I've changed the spec so that traversing the history by a delta always
> > cancels any pending navigations unless you're in the middle of an
> > unload, in which case it just aborts the algorithm entirely.
> > I've also made back()/forward()/go() not work during the document's
> > unload handler, since that could be used for griefing. I'm tempted to
> > disable it entirely for all docs a la alert(), but I've no idea if
> > that's Web- compatible and I suspect not.
> I assume this is where steps 3 and 4 of the "traverse the history by a
> delta" algorithm came from.
Step 3. Step 4 is about canceling an existing navigation if you hit back.
> It's not clear from the spec which browsing context and document these
> steps refer to. Is it the "specified browsing context" and the active
> document of that context (I think that makes most sense)?
Hm. I meant it to be the Document of the History object, but you raise an
interesting point. This whole thing is rather poorly defined.
I've tried to clear it up.
> Additionally it isn't clear which event loop the task should be
> associated with.
I've tried to clear this up too. It turns out this wasn't taking into
account per-frame process isolation, anyway. I had to introduce yet
another kind of event loop. This does introduce some race conditions in
UAs with more than one event loop per tab, but I don't know what we can do
about that without adding in a lot of blocking during traversal, which I
am guessing wouldn't be popular.
> > Aah, ok. The spec already says that's not allowed. You can't get to
> > the History object of a cross-origin Window:
> > http://www.whatwg.org/specs/web-apps/current-work/#security-window
> > (I forget what the story is if you get a History object from a
> > same-origin Window, then have the browsing context navigated, then use
> > the History object you kept around... I expect it is supposed to work
> > much as if you were to call it on the new, cross-origin, History
> > object, though.)
> The implication here as that you should never be able to do a history
> traversal of a browsing context that is not same origin (and so there is
> only one event loop to choose from). The "story" about keeping history
> objects around seems does not seem to be specified anywhere (so the
> assumption was that it should work as normal).
> It looks like some browsers don't let you use history objects you kept
> around (they should probably throw an InvalidStateError), others let you
> use them if the current document of the relevant browsing context is
> same-origin (and should probably throw a SecurityError).
> It's rather awkward to test this, but can we have something in the spec
> to prevent cross-origin history traversal? If this is not in the same
> section as the "traverse the history by a delta" algorithm can we have a
> note to say that this can never happen cross-origin?
Well, no, not really, because it can. For example, if you have an iframe
that's cross-origin, and it's navigated, and then you call your own
History object's back() method, it'll actually traverse that iframe.
But a History object of a non-active Document is a different matter...
Looks like this will need help from WebIDL. I've filed bug 23359 and
marked it as blocked on bug 23358:
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg