Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Support loadReplace for tabs.update() #664

Open
mshibanami opened this issue Jul 28, 2024 · 1 comment
Open

Proposal: Support loadReplace for tabs.update() #664

mshibanami opened this issue Jul 28, 2024 · 1 comment
Labels
implemented: firefox Implemented in Firefox supportive: chrome Supportive from Chrome supportive: safari Supportive from Safari topic: navigation Using an extension to navigate a web context.

Comments

@mshibanami
Copy link

Background

On Firefox, the tabs.update() function can have a loadReplace parameter, which allows developers to specify whether the new URL should replace the old URL in the tab's navigation history, like this:

browser.tabs.update(
    tabId,
    { url: url, loadReplace: true });
}

It's not implemented in other browsers. However, replacing the navigation history is a pretty common use case.

You can call window.location.replace() in content.js for sure, but it's still beneficial when you want to call it before content.js is loaded.

Proposal

It would be great if this loadReplace parameter were standardized and extensions could specify it in Safari, Chrome, etc.

Misc
@github-actions github-actions bot added needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time needs-triage: safari Safari needs to assess this issue for the first time labels Jul 28, 2024
@Rob--W Rob--W added implemented: firefox Implemented in Firefox and removed needs-triage: firefox Firefox needs to assess this issue for the first time labels Jul 30, 2024
@dotproto dotproto mentioned this issue Aug 1, 2024
Closed
@xeenon xeenon added supportive: safari Supportive from Safari and removed needs-triage: safari Safari needs to assess this issue for the first time labels Aug 1, 2024
@oliverdunk oliverdunk added supportive: chrome Supportive from Chrome and removed needs-triage: chrome Chrome needs to assess this issue for the first time labels Aug 1, 2024
@Rob--W Rob--W mentioned this issue Aug 1, 2024
Merged
@dotproto
Copy link
Member

dotproto commented Aug 7, 2024

During the 2024-08-01 meeting I mentioned that I was concerned about potential abuse scenarios with replacing the current URL. Someone else mentioned that the web's history.replaceState() already provides this capability. I took a closer look after the meeting and was surprised to find that it was possible to use replaceState() to navigate to another origin.

I also searched for abuse patterns, attacks, or annoyances related to the use of replaceState() but didn't find anything notable. The only potential misuse I can see at the moment loading a page that triggers a browser exploit, then using history replacement to mask that the page was loaded. That said, since replaceState() is already exposed on the web, a malicious website could already do this without the assistance of an extension.

At this point I don't see any concerns with this capability.

This was referenced Aug 29, 2024
Merged
Closed
@dotproto dotproto added the topic: navigation Using an extension to navigate a web context. label Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
implemented: firefox Implemented in Firefox supportive: chrome Supportive from Chrome supportive: safari Supportive from Safari topic: navigation Using an extension to navigate a web context.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xeenon @dotproto @mshibanami @Rob--W @oliverdunk