Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You're correct. Only the path (and not the domain) can be changed.

From the article:

* For security reasons, you can only change the path of the URL, not the domain itself. So you can change anything in the URL after my-domain.com/[change-the-stuff-here.html].



wouldn't this be better if you could only go to the same level or lower, thus preventing server/~user1 pretending to be server/~user2?

does this break real use cases?


Cookies have this problem, too (anyone from the same domain sees your cookies, and you can't really count on the cookie path). So does XMLHTTPRequest. Same origin[1] is pretty much the governing rule here; there wasn't any point in making pushState any more secure than the rest of the system.

1) http://en.wikipedia.org/wiki/Same_origin_policy


It very well could. Consider that "real use cases" includes every website in existence. Some of the have utterly horrifying URL schemes.


It's not just horrifying URL schemes, it would make the feature useless for any "web app" - take Grooveshark for example. A user can go from /artist/x/1234 to /song/x/1234 which seems pretty reasonable and not very horrifying.


As long as the script-file lives at / there's no problem..




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: