>> > I've also made back()/forward()/go() not work during the document's
>> > unload handler, since that could be used for griefing. I'm tempted to
>> > disable it entirely for all docs a la alert(), but I've no idea if
>> > that's Web- compatible and I suspect not.
>>
>> I don't know what you mean by the last sentence here.  In my tests, IE
>> and Opera do not support cross-origin back/forward/go, if that's what
>> you mean.  I don't see any good reason for us to support that in
>> Firefox, either, if we could get away with removing it.
>
> I meant blocking all scripted back/forward session history traversal while
> any page is running the unload algorithms.

Ah, I see.  I don't have any idea if that's a good idea or not, so, okay.  :)

> As far as cross-origin back/forward, there are 404 pages on the Web that
> have javascript:history.back() links; these would break for cross-origin
> links if we blocked cross-origin history traversal. I don't really see
> much point. What's the security risk?

The issue isn't a history.back() which crosses origins -- that seems
fine -- but rather calling history.back() on a cross-origin window.
(Sorry that wasn't clear.)

It's not clear that this poses a security risk (otherwise, I'm sure
we'd have removed it by now), aside from making it easier to tickle
Firefox into buggy states like this bug [1].  But it's also not clear
to me what benefit there is to being able to call back() on an
arbitrary window.

I guess I can navigate a window, so I might as well be able to make it
go back?  But those aren't quite the same thing.

-Justin

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=737307

Reply via email to