w3c / webextensions

Charter and administrivia for the WebExtensions Community Group (WECG)
Other
599 stars 56 forks source link

Proposal: Support `loadReplace` for `tabs.update()` #664

Open mshibanami opened 3 months ago

mshibanami commented 3 months ago

Background

On Firefox, the tabs.update() function can have a loadReplace parameter, which allows developers to specify whether the new URL should replace the old URL in the tab's navigation history, like this:

browser.tabs.update(
    tabId,
    { url: url, loadReplace: true });
}

It's not implemented in other browsers. However, replacing the navigation history is a pretty common use case.

You can call window.location.replace() in content.js for sure, but it's still beneficial when you want to call it before content.js is loaded.

Proposal

It would be great if this loadReplace parameter were standardized and extensions could specify it in Safari, Chrome, etc.

Misc

dotproto commented 2 months ago

During the 2024-08-01 meeting I mentioned that I was concerned about potential abuse scenarios with replacing the current URL. Someone else mentioned that the web's history.replaceState() already provides this capability. I took a closer look after the meeting and was surprised to find that it was possible to use replaceState() to navigate to another origin.

I also searched for abuse patterns, attacks, or annoyances related to the use of replaceState() but didn't find anything notable. The only potential misuse I can see at the moment loading a page that triggers a browser exploit, then using history replacement to mask that the page was loaded. That said, since replaceState() is already exposed on the web, a malicious website could already do this without the assistance of an extension.

At this point I don't see any concerns with this capability.