>> > I've also made back()/forward()/go() not work during the document's >> > unload handler, since that could be used for griefing. I'm tempted to >> > disable it entirely for all docs a la alert(), but I've no idea if >> > that's Web- compatible and I suspect not. >> >> I don't know what you mean by the last sentence here. In my tests, IE >> and Opera do not support cross-origin back/forward/go, if that's what >> you mean. I don't see any good reason for us to support that in >> Firefox, either, if we could get away with removing it. > > I meant blocking all scripted back/forward session history traversal while > any page is running the unload algorithms.
Ah, I see. I don't have any idea if that's a good idea or not, so, okay. :) > As far as cross-origin back/forward, there are 404 pages on the Web that > have javascript:history.back() links; these would break for cross-origin > links if we blocked cross-origin history traversal. I don't really see > much point. What's the security risk? The issue isn't a history.back() which crosses origins -- that seems fine -- but rather calling history.back() on a cross-origin window. (Sorry that wasn't clear.) It's not clear that this poses a security risk (otherwise, I'm sure we'd have removed it by now), aside from making it easier to tickle Firefox into buggy states like this bug [1]. But it's also not clear to me what benefit there is to being able to call back() on an arbitrary window. I guess I can navigate a window, so I might as well be able to make it go back? But those aren't quite the same thing. -Justin [1] https://bugzilla.mozilla.org/show_bug.cgi?id=737307