New issue
Advanced search Search tips

Issue 715546 link

Starred by 3 users
Status: Closed
Owner: ----
Closed: Aug 3
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

Page removed from history when document.write used

Reported by jm.acun...@gmail.com, Apr 26 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36

Steps to reproduce the problem:
I'm not sure if this is a security bug.
Perhaps a malicious user could link from a legal page, a phishing page in order to hide it.

In Mozilla Firefox it works correctly.

1- Go to http://createcharts.esy.es/delete-history-back.html
2- Click on the button on the page
3- Click on the Back arrow of the browser or press the keys Alt <-

What is the expected behavior?

What went wrong?
History page is lost

Did this work before? N/A 

Chrome version: 58.0.3029.81  Channel: stable
OS Version: 6.3
Flash Version:

Comment 1 by jm.acun...@gmail.com, Apr 26 2017 

Tested in:

- Google Chrome Version 58.0.3029.81
- Google Chrome Version 60.0.3080.0 (Official build) canary (64 bits)

Comment 2 by elawrence@chromium.org, Apr 26 2017

Components: UI>Browser>Navigation
Labels: Needs-Feedback
Status: Untriaged (was: Unconfirmed)
I /think/ you're saying that your "Go" button triggers a navigation without adding the current page to the History list? But the other pages in the back stack remain available to the back button-- the browser just skips over the "missing" entry?

This would appear to be the same behavior provided by the standard window.location.replace() function, right?

Comment 3 by jm.acun...@gmail.com, Apr 26 2017 

The window.location.replace() function has the same behavior in all browsers.
In the report, this behavior only occurs in Chrome (not in Firefox, not Vivaldi, not Safari ...)

Comment 4 by elawrence@chromium.org, Apr 26 2017 

Re #3: Can you confirm that the behavior you're reporting in this issue is the same behavior exposed by the public API? 

If so, then this will be converted over to a regular functional issue rather than a security issue.

Comment 5 by jm.acun...@gmail.com, Apr 26 2017 

I confirm it

Comment 6 by elawrence@chromium.org, Apr 26 2017

Labels: -Type-Bug-Security -Pri-2 -Restrict-View-SecurityTeam -Needs-Feedback Pri-3 Type-Bug
Summary: Page removed from history when document.write used (was: Removed the possibility of displaying the browser history page)

Comment 7 by jm.acun...@gmail.com, Apr 26 2017 

Also, I can change the function open by replace and the same thing still happens:

1- in chrome the navigation history page is lost
2- in firefox, safari, vivaldi is not lost.

Example:

function go() {
	var url = 'https://www.google.com', iframe = '<iframe src="'+url+'" style="border:0;width:0;height:0"></iframe>';
	document.write(iframe);
	setTimeout(function(){
		setTimeout(function(){
			window.location.replace(url); /* same behavior as: window.open(url,'_top'); */
		},0);
	},0);
}

Comment 8 by timothygu@chromium.org, Aug 3

Status: Closed (was: Untriaged)
Unfortunately, the reproduction webpage (http://createcharts.esy.es/delete-history-back.html) is no longer available.

Sign in to add a comment