Cool feature of HTML5

Not dealing much with HTML lately, I’ve only noticed this new feature now. The thing is that HTML5 let you change the page’s URL path without refreshing the page content. Like in this example from google 20thingsilearned.com – when you flip the book’s pages the url changes for easy bookmarking and SEO, but the content doesn’t flicker. If that not seems like much to you, than you don’t know what you’re talking about.

All that is needed to achieve the magic is this line of code:

window.history.pushState("", "title", "somePath/");

Try it:

    Click to change the page url

Amazing! There is no need for the ugly hash (#) anymore in order to achieve AJAX/Flash deep linking… oh wait… it doesn’t work in IE9 and FireFox 3.x :( (yet)

Thinking “I know all that browsers can do” this one got me wondering. I’m coming to realize that even though I still believe I generally know most of its capabilities, with HTML 5 there probably lots of things that browsers can do which I’m not yet familiar with. I swear I will skim through the spec when I’ll have the time, there must be many interesting security flaws in there… or is it?!.

More info here & here

5 thoughts on “Cool feature of HTML5

  1. I think this could make phishing via XSS quite a lot more effective. Since you can make the page with the XSS on an exact replica of the login page, url included.

  2. You’re right, It’ll definitely “help” phishing via XSS. It’ll be easier fake the user navigation to any part of the website. For example, as you noted, take him to the login page and ask him to re-login -> hijack his user/pass and not only his session.

  3. The phishing can be achieved even without this this new feature. It does not affect the domain name, so it’s the same as recreating the file structure on another server with different domain.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>