Skip to content

Commit

Permalink
Use the associated document for pushState/replaceState's origin check
Browse files Browse the repository at this point in the history
This updates the origin check in pushState/replaceState to use the
origin of the document of the relevant History object, instead of that
of the entry settings object. This more correctly matches 2/3 open
source browsers:

- https://chromium.googlesource.com/chromium/src/+/c21f0b11ac83ea970d0eaf6a0b223d48a32a4b32/third_party/WebKit/Source/core/frame/History.cpp#234
- https://github.com/WebKit/webkit/blob/0ee7b606dbf35d9688c15b19b1a83ec1ff242cd7/Source/WebCore/page/History.cpp#L150

(Gecko does no such security check). It also helps with #1431.

While there, cleaned up some redundant steps and tightened wording.
  • Loading branch information
domenic committed Jul 12, 2016
1 parent 363d074 commit abfaca0
Showing 1 changed file with 14 additions and 15 deletions.
29 changes: 14 additions & 15 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -80559,10 +80559,11 @@ interface <dfn>History</dfn> {
<p>When either of these methods is invoked, the user agent must run the following steps:</p>

<ol>
<li><p>Let <var>document</var> be the unique <code>Document</code> object this
<code>History</code> object is associated with.</p></li>

<li><p>If this <code>History</code> object is associated with a <code>Document</code> that is
not <span>fully active</span>, throw a <span>"<code>SecurityError</code>"</span>
<code>DOMException</code>.</p></li>
<li><p>If <var>document</var> is not <span>fully active</span>, throw a
<span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>

<li><p>Optionally, abort these steps. (For example, the user agent might disallow calls to these
methods that are invoked on a timer, or from event listeners that are not triggered in response
Expand All @@ -80588,20 +80589,20 @@ interface <dfn>History</dfn> {

<li><p>Let <var>new URL</var> be the <span>resulting URL record</span>.</p></li>

<li>Compare <var>new URL</var> to the document's <span
<li>Compare <var>new URL</var> to <var>document</var>'s <span
data-x="concept-document-url">URL</span>. If any component of these two <span data-x="URL
record">URL records</span> differ other than the <span data-x="concept-url-path">path</span>,
<span data-x="concept-url-query">query</span>, and <span
data-x="concept-url-fragment">fragment</span> components, then throw a
<span>"<code>SecurityError</code>"</span> <code>DOMException</code> and abort these steps.</li>

<li>If the <span data-x="concept-url-origin">origin</span> of <var>new URL</var> is not the
same as the <span>origin</span> of the <span>responsible document</span> specified by the
<span>entry settings object</span>, and either the <span data-x="concept-url-path">path</span>
or <span data-x="concept-url-query">query</span> components of the two <span data-x="URL
record">URL records</span> compared in the previous step differ, throw a
<span>"<code>SecurityError</code>"</span> <code>DOMException</code> and abort these steps.
(This prevents sandboxed content from spoofing other pages on the same origin.)</li>
<li>If the <span data-x="concept-url-origin">origin</span> of <var>new URL</var> is not
<span>same origin</span> with the <span>origin</span> of <var>document</var>, and either the
<span data-x="concept-url-path">path</span> or <span data-x="concept-url-query">query</span>
components of the two <span data-x="URL record">URL records</span> compared in the previous
step differ, throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code> and
abort these steps. (This prevents sandboxed content from spoofing other pages on the same
origin.)</li>

</ol>

Expand Down Expand Up @@ -80664,17 +80665,15 @@ interface <dfn>History</dfn> {

<li>

<p>Set the document's <span data-x="concept-document-url">URL</span> to <var>new URL</var>.</p>
<p>Set <var>document</var>'s <span data-x="concept-document-url">URL</span> to <var>new
URL</var>.</p>

<p class="note">Since this is neither a <span data-x="navigate">navigation</span> of the
<span>browsing context</span> nor a <span data-x="traverse the history">history traversal</span>,
it does not cause a <code data-x="event-hashchange">hashchange</code> event to be fired.</p>

</li>

<li><p>Let <var>targetRealm</var> be this <code>History</code> object's <span>relevant settings
object</span>'s <span data-x="environment settings object's realm">Realm</span>.</p></li>

<li>

<p>Set <code data-x="dom-history-state">history.state</code> to
Expand Down

0 comments on commit abfaca0

Please sign in to comment.