history.pushState pollution
Pile up iframe-owned history entries and interfere with the parent tab's back navigation.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | works |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/history-pollution?lang=en" title="XSS Playground - history.pushState pollution" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- iframe pushState only changes its own URL, but those entries pile up on the parent tab's back stack. The user trying to return to a previous service page may only loop through iframe history.
- Attack value is mostly annoyance / trapping the user on the site.
- With
sandbox=""(empty), JS is blocked and so is this attack. With justallow-scripts, the history API is freely callable.