Securityerror: the Operation Is Insecure - Window.History.Pushstate()

SecurityError: The operation is insecure - window.history.pushState()

Make sure you are following the Same Origin Policy. This means same domain, same subdomain, same protocol (http vs https) and same port.

How does pushState protect against potential content forgeries?

EDIT: As @robertc aptly pointed out in his comment, some browsers actually implement slightly different security policies when the origin is file:///. Not to mention you can encounter problems when testing locally with file:/// when the page expects it is running from a different origin (and so your pushState assumes production origin scenarios, not localhost scenarios)

SecurityError: The operation is insecure. pushing history in browser js

When you use single '/' you append to the current domain, when you use double '/' you are replacing current domain name with 'translation' and that is not allowed because of the same origin policy.

The new URL can be any URL in the same origin as the current URL. In contrast, setting window.location keeps you at the same document only if you modify only the hash.

pushState mozilla docs

SecurityError: This operation is insecure when calling domtoimage.toPng() in OpenLayers example

I think there should be something like:

new ol.layer.Tile({
    name: 'name',
    source: new ol.source.TileWMS({
        ...
        crossOrigin: 'anonymous' // <-- Add this to the json.
    })
})

Read more:

https://openlayers.org/en/v4.6.5/apidoc/ol.source.ImageWMS.html
https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image

How does pushState protect against potential content forgeries?

My understanding is that this is perfectly consistent with the Same Origin Policy that governs XMLHttpRequest, setting cookies, and various other browser functions. The assumption is that if it's on the same domain + protocol + port, it's a trusted resource. Usually, as a web developer, that's what you want (and need) in order for your AJAX scripts to work and your cookies to be readable throughout your site. If you are running a site where users can post content, it's your job, not the browser's, to make sure they can't phish or keylog each other's visitors.

Here's some more detail on what the FireFox folks are thinking about pushState - it doesn't seem like this is an issue for them. There's another discussion of a possible pushState security hole here, but it's a different concern, about being able to hide a malicious querystring on the end of someone else's URL.


Related Topics

Make HTML Text Input Field Grow as I Type

Jquery Click Anywhere in the Page Except on 1 Div

Reactjs: "Uncaught Syntaxerror: Unexpected Token <"

How to Determine Which HTML Page Element Has Focus

Changing Button Text Onclick

Width/Height After Transform

How to Create Checkbox Inside Dropdown

JavaScript Localstorage Object Broken in Ie11 on Windows 7

How to Change a <Select> Value from JavaScript

Html5 Audio Tag on Safari Has a Delay

Document.Getelementsbyclassname().Innerhtml Always Returns "Undefined"

How to Determine If a Checkbox Is Checked

Formdata.Append("Key", "Value") Is Not Working

How to Use JSON File in HTML Code

Fastest Way to Convert JavaScript Nodelist to Array

Difference Between Knockout View Models Declared as Object Literals VS Functions

Html5 Filereader How to Return Result

Trigger CSS Animations in JavaScript


Leave a reply



Submit