Closed Bug 639952 Opened 14 years ago Closed 4 years ago

History API allows sites to trivially and transparently disable the functionality of the back button, the address bar, and tab switching

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1515073

People

(Reporter: briansmith, Unassigned)

References

(Blocks 1 open bug)

Details

See http://probablyinteractive.com/url-hunter and thew news. Warning: you will not be able to navigate back to this bug by using the back button or the address bar. This demonstration uses the history API to rapidly change the current URL. After a few seconds the previous history will be deleted as it seems to work as a FIFO. Also, clicking the address bar or Ctrl+L to focus it will not work while the website is active.
See http://grack.com/blog/ for another demo (click the "Try it Now" button) and http://news.ycombinator.com/item?id=2301801 for some discussion.
Global history is what persists across browser sessions (visited/unvisited, etc), for what it's worth. Jason, should we consider nuking pushState'd entries before nuking real ones?
Component: History: Global → Document Navigation
QA Contact: history.global → docshell
In the demo http://probablyinteractive.com/url-hunter, press escape 10 times. This will cause all the brower's navigation (e.g. clicking on tabs) to stop working (though hover state on the tabs works and the Firefox menu works). One time the operating system reported Firefox as "not responding" and I had to kill it. Another time, I was able to close Firefox with the close button but Firefox stayed running (hidden) for several seconds such that I could not restart Firefox. But, it eventually did terminate on its own after about 10 seconds.
Summary: History API allows sites to trivially and transparently disable the functionality of the back button and the address bar → History API allows sites to trivially and transparently disable the functionality of the back button, the address bar, and tab switching
The tab switching thing is a totally separate issue from the back thing.
I thought we'd decided that websites could already do this, so pushstate wasn't adding a new attack vector. But maybe the fact that it makes it really easy is something to worry about? There's a metabug tracking all the ways a page can trap you which I can't currently find. I think Jesse knows. Last time I read it, the spec lets us do pretty much whatever we want here. We could limit the rate of pushState calls, or we could remember only the last N pushState's (is this what you suggested in comment 2?). I'd prefer the former, since the latter would break if I stayed on a site using pushState for a long time (e.g. Gmail, Facebook) and really did want my history to be filled by that site.
> (is this what you suggested in comment 2?) Yes. I would also be open to doing different things depending on whether we're in an app tab.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.