[HN Gopher] Stealing the users back button with the History API ...
___________________________________________________________________
Stealing the users back button with the History API (2013)
Author : longrod
Score : 26 points
Date : 2022-06-09 10:27 UTC (1 days ago)
(HTM) web link (ryanseddon.com)
(TXT) w3m dump (ryanseddon.com)
| fleddr wrote:
| For the interested, the successor to the History API is the
| Navigation API: https://developer.chrome.com/docs/web-
| platform/navigation-ap...
| superb-owl wrote:
| Huh...so you can add a third-party domain to the history? That
| seems like a security flaw. I would have imagined you could only
| add history for the current domain.
| Spivak wrote:
| They can't. Here's the flow.
|
| 1. User goes to example.com.
|
| 2. The site immediately replaces the history state with
| example.com#history.
|
| 3. The site pushes a new history state example.com
|
| At this point your history looks like ...
| google.com example.com#history example.com <--
| you are here
|
| 4. The user clicks their back button and you're taken to
| example.com#history
|
| 5. The JS sees the hash and does a location.replace (i.e.
| navigate to) to some unrelated URL.
| Arrath wrote:
| I despise websites that capture my back button.
| thunderbong wrote:
| Didn't work for me though on Chrome or Slimjet. Worked in
| Firefox!
|
| On Chrome based browsers, I see this error -
| [Report Only] Refused to load the script
| 'https://ryanseddon.com/dist/app.bundle.js' because it violates
| the following Content Security Policy directive: "script-src
| 'self' 'sha256-MdC6fOvaO+dJENLQhOoRht9sHSJ++GoMxjtC5lOpUww='
| 'strict-dynamic' https: 'unsafe-inline' 'report-sample'".
| 'strict-dynamic' is present, so host-based whitelisting is
| disabled. Note that 'script-src-elem' was not explicitly set, so
| 'script-src' is used as a fallback.
| littlecranky67 wrote:
| CSP can be set through HTTP header, so a site with an explicit
| CSP configuration might allow this.
| kurupt213 wrote:
| I don't know why people do this because this is what makes people
| avoid your website completely. Fool me once...never again
| car_analogy wrote:
| History _API_? Modifying user history should require an exploit,
| not be offered voluntarily by the browser!
| FrenchDevRemote wrote:
| you can only use your own website history...definitely not an
| issue imo
| car_analogy wrote:
| Can you delete items from it? Even if it's the same domain,
| that's not something I want a website doing.
| GranPC wrote:
| Yes. Keep in mind this relates to the back/forward buttons,
| not your personal history of all visited websites.
| munk-a wrote:
| I've never liked calling it "History API" it's more focused on
| modifying what the back button will do.
|
| It exists primarily to support SPAs that have hard links for
| different specific resource views but never actually navigate
| the user off the single page - the History API allows these
| sites to drop some breadcumbs so that users can return to
| different visual states they observed on their screen while
| never actually navigating....
|
| That all said - I think there are much better ways to
| accomplish this using, I believe (it's been a bit) location.Url
| updates that cause micro-reloads... however if your webapp is a
| 300 pound gorilla this approach is significantly less appealing
| due to the obvious breaks in user flow.
| usrn wrote:
| Man I really hate SPAs. Unless it's something like a drawing
| app or whatever where the back button doesn't even make sense
| they're usually awful.
| ajsnigrutin wrote:
| Yep... most of the tracking and privacy issues exist, because
| browser expost too much apis to websites, many of those things
| not really needed for sites to work properly.
___________________________________________________________________
(page generated 2022-06-10 23:01 UTC)