inertia icon indicating copy to clipboard operation
inertia copied to clipboard

Published 20 hours ago verified publisher icon inertiajs

Fix history state navigation security issue

Open gitbugr opened this issue 1 year ago • 2 comments

Implements changes proposed in the following comment https://github.com/inertiajs/inertia/pull/1784#issuecomment-2134173531 back in May, without the server-side header idea (not against it, though I thought it was out of scope for this, and I didn't want to touch more than I needed to.), and using window.sessionStorage instead of window.localStorage.

To summarise the comment and what this PR does

  • Moves page cached history from being stored in window.history.state (which cannot be cleared, presenting a potential security issue if private information is stored in page props.), to window.sessionStorage, which lives for the lifetime of the tab (though most browsers ignore security concerns by allowing users to restore sessions..) and can be cleared in JS.
  • Added a public method to the router, router.clearHistory(), for clearing history state.

Related tickets/pull-requests:

https://github.com/inertiajs/inertia/pull/1784 https://github.com/inertiajs/inertia/issues/247 https://github.com/inertiajs/inertia/issues/102

gitbugr avatar Oct 05 '24 14:10 gitbugr