187
edits
Firefox 3.6/PushState Security Review: Difference between revisions
Firefox 3.6/PushState Security Review (view source)
Revision as of 22:24, 3 August 2009
, 3 August 2009→Security and Privacy: /ul
(→Security and Privacy: /ul) |
|||
| Line 17: | Line 17: | ||
<li>Instead of / in addition to hard per-page limits on the number of remembered states, we may need to rate-limit pushstates. Otherwise, a malicious site could keep a user from going back by pushstating every 10ms to the same site. Its oldest history entries would constantly be dropped, but it would still own the history. We'd have to take care to ensure that the rate limiting doesn't appear to be arbitrary.</li> | <li>Instead of / in addition to hard per-page limits on the number of remembered states, we may need to rate-limit pushstates. Otherwise, a malicious site could keep a user from going back by pushstating every 10ms to the same site. Its oldest history entries would constantly be dropped, but it would still own the history. We'd have to take care to ensure that the rate limiting doesn't appear to be arbitrary.</li> | ||
<li>We also have to try and prevent a site from DOSing the browser by pushing many large objects.</li> | <li>We also have to try and prevent a site from DOSing the browser by pushing many large objects.</li> | ||
</ | </ul> | ||
== Exported APIs == | == Exported APIs == | ||