Prevent storage of username/password in history.{push,replace}State |
|||
Issue descriptionLatest WebKit now throws if developer tries to pushState with a URL that has username or password. https://trac.webkit.org/changeset/203288/trunk/Source/WebCore/page/History.cpp The WebKit bug [1] is restricted so I am guessing that this was done to avoid having sensitive information serialized in the persisted history. Should we consider a similar change in Blink? Notes: - This change does not conform to the spec [3] so if we decide to do this we should ask for a spec change . - Currently we sanitize away some password information before persisting the history so this feels like a natural extension. See PageState::RemovePasswordData() [2] As a side not: History item also contains form data which also get serialized. I suspect that may also include password fields. Chrome Although this change does not [1] https://bugs.webkit.org/show_bug.cgi?id=159818 [2] https://codesearch.chromium.org/chromium/src/content/public/common/page_state.cc?rcl=1470396217&l=39 [3] https://html.spec.whatwg.org/multipage/browsers.html#dom-history-pushstate
,
Aug 12 2016
Loading triager here. Assigning to majidvp.
,
Aug 12 2016
majidvp@ If you don't want to own this, please assign an appropriate priority and mark as available.
,
Oct 20 2017
I haven't had a chance to work in this area of the code for some time. Assigning to japhet@ to triage and prioritize appropriately. |
|||
►
Sign in to add a comment |
|||
Comment 1 by dtapu...@chromium.org
, Aug 8 2016