pushState back button overrides still work on newly opened tabs
Categories
(Core :: DOM: Navigation, defect, P3)
Tracking
()
People
(Reporter: knud, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Steps to reproduce:
Just visit a webpage and went back in history, with the back button.
Actual results:
I was navigated to a completely different page, i didnt want to visit. In this case it was a amazon-ref but it could be every domain.
Page in this case: https://www.itsystemkaufmann.de
Expected results:
Firefox should forbid webpages to push url, not in current domain, into the history.
Comment 1•5 years ago
|
||
Do you have steps to reproduce, like where this happened? Without this, it's unlikely that it'll be possible to know how this happened or how to fix it.
Just click the url I posted in my issue, then click the back button. You think you will get back here? No first you will see amazon. Really easy to reproduce.
Comment 3•5 years ago
|
||
This seems to be a paid service by https://www.bouncebooster.com/. 😬
I think that this will be stopped by bug 1515073, which I should really pick back up before going on leave now...
I'm not 100% sure about the non-same origin piece though, the page is loading amazon.com through pushstate but that could also be managed by some server-side redirect trick, so it might not end up being a security issue.
Leaving this hidden until we have figured that out.
Updated•5 years ago
|
Comment 4•5 years ago
|
||
If this is a paid service then this is clearly a known trick and doesn't need to be hidden. Note that the real page is still in the history in this case, but I imagine a malicious site could push enough junk to evict it.
Comment 5•4 years ago
|
||
This is for the most part fixed by 1515073, but there's case that remains: If you open the link in a new tab, then the override still works, because we allow both the first and last entries to appear without considering user interaction. We should maybe reconsider that at least for the first (earliest) entry.
Description
•