SecurityError: The operation is insecure - window.history.pushState()
Make sure you are following the Same Origin Policy. This means same domain, same subdomain, same protocol (http vs https) and same port.
How does pushState protect against potential content forgeries?
EDIT: As @robertc aptly pointed out in his comment, some browsers actually implement slightly different security policies when the origin is file:///
. Not to mention you can encounter problems when testing locally with file:///
when the page expects it is running from a different origin (and so your pushState
assumes production origin scenarios, not localhost scenarios)
SecurityError: The operation is insecure. pushing history in browser js
When you use single '/' you append to the current domain, when you use double '/' you are replacing current domain name with 'translation' and that is not allowed because of the same origin policy.
The new URL can be any URL in the same origin as the current URL. In contrast, setting window.location keeps you at the same document only if you modify only the hash.
pushState mozilla docs
SecurityError: This operation is insecure when calling domtoimage.toPng() in OpenLayers example
I think there should be something like:
new ol.layer.Tile({
name: 'name',
source: new ol.source.TileWMS({
...
crossOrigin: 'anonymous' // <-- Add this to the json.
})
})
Read more:
https://openlayers.org/en/v4.6.5/apidoc/ol.source.ImageWMS.html
https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
How does pushState protect against potential content forgeries?
My understanding is that this is perfectly consistent with the Same Origin Policy that governs XMLHttpRequest
, setting cookies, and various other browser functions. The assumption is that if it's on the same domain + protocol + port, it's a trusted resource. Usually, as a web developer, that's what you want (and need) in order for your AJAX scripts to work and your cookies to be readable throughout your site. If you are running a site where users can post content, it's your job, not the browser's, to make sure they can't phish or keylog each other's visitors.
Here's some more detail on what the FireFox folks are thinking about pushState
- it doesn't seem like this is an issue for them. There's another discussion of a possible pushState
security hole here, but it's a different concern, about being able to hide a malicious querystring on the end of someone else's URL.
Related Topics
Make HTML Text Input Field Grow as I Type
Jquery Click Anywhere in the Page Except on 1 Div
Reactjs: "Uncaught Syntaxerror: Unexpected Token <"
How to Determine Which HTML Page Element Has Focus
How to Create Checkbox Inside Dropdown
JavaScript Localstorage Object Broken in Ie11 on Windows 7
How to Change a <Select> Value from JavaScript
Html5 Audio Tag on Safari Has a Delay
Document.Getelementsbyclassname().Innerhtml Always Returns "Undefined"
How to Determine If a Checkbox Is Checked
Formdata.Append("Key", "Value") Is Not Working
How to Use JSON File in HTML Code
Fastest Way to Convert JavaScript Nodelist to Array
Difference Between Knockout View Models Declared as Object Literals VS Functions