A richer history API is also coming as a part of HTML5. http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html
On Mon, Aug 2, 2010 at 12:47 PM, Brian Eaton <bea...@google.com> wrote: > On Mon, Aug 2, 2010 at 9:23 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > > > > What about browsing history? I've just run the JSP below in Tomcat and > found out that Firefox remembers the redirect in the browsing history. It'll > be a problem in a shared desktop or Internet kiosk environment. > > I think the best practice for authentication tokens passed on URLs is > to clean the URL as soon as it is received. > > For the web server flow, that would mean sending a 302 after receiving > the authorization code. > > For the user-agent/javascript flow, that would mean copying the token > into a cookie or a javascript variable, and then using > window.location.replace() to clean the URL. > > My javascript ninja sources tell me that location.replace() cleans the > browser history, but I haven't actually tested it. The mozilla > documentation is very clear on the expected behavior: > > https://developer.mozilla.org/en/window.location > > "Replace the current document with the one at the provided URL. The > difference from the assign() method is that after using replace() the > current page will not be saved in session history, meaning the user > won't be able to use the Back button to navigate to it." > > Cheers, > Brian >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
