inertiajs
Fix history state navigation security issue
Implements changes proposed in the following comment https://github.com/inertiajs/inertia/pull/1784#issuecomment-2134173531 back in May, without the server-side header idea (not against it, though I thought it was out of scope for this, and I didn't want to touch more than I needed to.), and using window.sessionStorage instead of window.localStorage.
To summarise the comment and what this PR does
- Moves
pagecached history from being stored inwindow.history.state(which cannot be cleared, presenting a potential security issue if private information is stored in page props.), towindow.sessionStorage, which lives for the lifetime of the tab (though most browsers ignore security concerns by allowing users to restore sessions..) and can be cleared in JS. - Added a public method to the router,
router.clearHistory(), for clearing history state.
Related tickets/pull-requests:
https://github.com/inertiajs/inertia/pull/1784 https://github.com/inertiajs/inertia/issues/247 https://github.com/inertiajs/inertia/issues/102
~Not sure what's up with the tests, here, the error modal test fails, but when running locally with the gui they all pass?~
I've got it. Was using crypto.randomUUID() which isn't compatable with the current cypress electron version.
I've added somewhat of a guard against using more than ~1MB (+/- the size of one Page - somewhat arbitrarily chosen. Max is 5MB, but inertia should never fill that and prevent devs from being able to use it themselves.) of session storage for history. Upon reaching > 1MB, will begin to shift items out of session storage to prevent unlikely but possible QUOTA_EXCEEDED_ERR mentioned in https://github.com/inertiajs/inertia/pull/1784#issuecomment-2135605208.
Thank you for your work on this PR. As this is now addressed in v2, there are no plans to secure this further for v1.
