Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SecurityError: The operation is insecure - window.history.pushState()

I'm getting this error in Firefox's Console: SecurityError: The operation is insecure and the guilty is HTML5 feature: window.history.pushState() when I try to load something with AJAX. It is supposed to load some data but Javascript stops executing on error.

I'm wondering why this may be happening. Is this some server misconfiguration? Any help would be appreciated.

UPDATE: Yes, it was a server error with domain name not matching: http://en.wikipedia.org/wiki/Same-origin_policy

like image 511
Atadj Avatar asked Nov 12 '12 17:11

Atadj


People also ask

What does Window history pushState do?

pushState() method adds an entry to the browser's session history stack.

Does history pushState reload page?

But this function is not intended to reload the browser. All the function does, is to add (push) a new "state" onto the browser history, so that in future, the user will be able to return to this state that the web-page is now in.


5 Answers

Make sure you are following the Same Origin Policy. This means same domain, same subdomain, same protocol (http vs https) and same port.

How does pushState protect against potential content forgeries?

EDIT: As @robertc aptly pointed out in his comment, some browsers actually implement slightly different security policies when the origin is file:///. Not to mention you can encounter problems when testing locally with file:/// when the page expects it is running from a different origin (and so your pushState assumes production origin scenarios, not localhost scenarios)

like image 140
Matt Avatar answered Oct 23 '22 20:10

Matt


We experienced the SecurityError: The operation is insecure when a user disabled their cookies prior to visiting our site, any subsequent XHR requests trying to use the session would obviously fail and cause this error.

like image 12
oliverguenther Avatar answered Oct 23 '22 22:10

oliverguenther


In my case I was missing 'www.' from the url I was pushing. It must be exact match, if you're working on www.test.com, you must push to www.test.com and not test.com

like image 4
Adam Avatar answered Oct 23 '22 22:10

Adam


You should try not open the file with a folder-explorer method (i.e. file://), but open that file from http:// (i.e. http://yoursite.com/ from http://localhost/)

like image 4
T.Todua Avatar answered Oct 23 '22 22:10

T.Todua


I had this problem on ReactJS history push, turned out i was trying to open //link (with double slashes)

like image 2
Ayoub Laazazi Avatar answered Oct 23 '22 22:10

Ayoub Laazazi