[kw-pm] AJAX and Back Buttons
Daniel R. Allen
daniel at coder.com
Sat Apr 22 10:27:38 PDT 2006
Yesterday Eric posted this in the IRC channel; I just read it and it's
worth making sure it makes it back to the list:
There seems to be a reasonable way to manipulate the page history so the
back button works under AJAX. Reasonably lightweight. Uses labels (the
'#' notation as part of URL) so bookmarks will work. Includes storage of
additional data (JSON-formatted) within a hidden iframe.
http://www.onjava.com/pub/a/onjava/2005/10/26/ajax-handling-bookmarks-and-back-button.html
The first demo (on page 4) populates the back-button with AJAX-specified
'pages'. Pretty cool.
But I think this offers a big security hole: a malicioius page could grab
the appearance of the referer page, and modify the links to submit to
their own server (maybe proxying everything to the real page to keep the
spoof going). So, only detected by noticing the URL is wrong.
I believe this was possible before with javascript, but AJAX makes it easy
to do the proxying in the background while you're on the malicious page,
so you might not notice it's been diverted when you go back.
-Daniel
More information about the kw-pm
mailing list