Test case: http://persistent.info/webkit/test-cases/pushstate-https/test.html. To reproduce: 1. Click either link (which onclick does a history.pushState followed by a location.replace) 2. Press the back button The page (google.com) is still displayed, but with the URL of the testcase. This may have the same cause as bug 49654.
Abishek, does this have any security implications? As far as I can tell, an attacker could get the location bar to show a URL under his control while the page contents are not, so it's not exploitable for spoofing, but I might be missing something.
Thanks Mihai. This does looks like it will be fixed by Johnny's patch. Johnny, can you please double check. I don't see a security issue here unless page contents are controllable.
(In reply to comment #2) > Thanks Mihai. This does looks like it will be fixed by Johnny's patch. Johnny, can you please double check. I don't see a security issue here unless page contents are controllable. I am re-thinking about my patch in bug 49654 according to darin's comments, it may need to take few days to find another solution.
Darin is working on bug 49654, and is pretty sure that his fix will take care of this too. *** This bug has been marked as a duplicate of bug 49654 ***