Cool feature of HTML5

Not dealing much with HTML lately, I’ve only noticed this new feature now. The thing is that HTML5 let you change the page’s URL path without refreshing the page content. Like in this example from google – when you flip the book’s pages the url changes for easy bookmarking and SEO, but the content doesn’t flicker. If that not seems like much to you, than you don’t know what you’re talking about.

All that is needed to achieve the magic is this line of code:

window.history.pushState("", "title", "somePath/");

Try it:

    Click to change the page url

Amazing! There is no need for the ugly hash (#) anymore in order to achieve AJAX/Flash deep linking… oh wait… it doesn’t work in IE9 and FireFox 3.x 🙁 (yet)

Thinking “I know all that browsers can do” this one got me wondering. I’m coming to realize that even though I still believe I generally know most of its capabilities, with HTML 5 there probably lots of things that browsers can do which I’m not yet familiar with. I swear I will skim through the spec when I’ll have the time, there must be many interesting security flaws in there… or is it?!.

More info here & here

  • I think this could make phishing via XSS quite a lot more effective. Since you can make the page with the XSS on an exact replica of the login page, url included.

  • guya

    You’re right, It’ll definitely “help” phishing via XSS. It’ll be easier fake the user navigation to any part of the website. For example, as you noted, take him to the login page and ask him to re-login -> hijack his user/pass and not only his session.

  • Hristofor Lukanov

    The phishing can be achieved even without this this new feature. It does not affect the domain name, so it’s the same as recreating the file structure on another server with different domain.

  • admin

    Phishing in general won’t be affected by this feature, but, phishing via xss will be slightly more powerful. Some users will be more comfortable entering their credentials with this in the browser address rather than something like that –‘’%3E%3C/script%3E

  • Pingback: The Pains and Remedies of Android HTML5 | GUYA.NET()