On Tue, 18 Sep 2012, Justin Lebar wrote: > > The issue isn't a history.back() which crosses origins -- that seems > fine -- but rather calling history.back() on a cross-origin window. > (Sorry that wasn't clear.)
Aah, ok. The spec already says that's not allowed. You can't get to the History object of a cross-origin Window: http://www.whatwg.org/specs/web-apps/current-work/#security-window (I forget what the story is if you get a History object from a same-origin Window, then have the browsing context navigated, then use the History object you kept around... I expect it is supposed to work much as if you were to call it on the new, cross-origin, History object, though.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'