-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
History API should check origin in push/replace state for opaque origin #8948
Comments
cc @whatwg/security WebKit and Chromium seem to throw in this case. |
Throwing seems reasonable, but on the other hand I'm not convinced "path attacks" are a real thing. |
You can watch this talk which explains how Dropbox depends on CSP sandbox. |
Yes, it looks like Blink allows for fragment changes, if I am reading |
With |
https://codereview.chromium.org/1495013002#msg6 is a better record of what I was thinking at the time than I have in my head at the moment. :) I don't recall any compatibility concerns coming into play, and I was apparently looking to whatever HTML said 8 years ago along with spot-checks of Firefox's behavior. |
While the specification note around only checking URL in push/replace state makes sense for defending attacks from documents which modified document.domain, this doesn't make sense for CSP sandbox because it is likely to host untrustworthy content which can spoof URL using History API.
Repro steps
The text was updated successfully, but these errors were encountered: