1. 7.8 Browsing the web
      1. 7.8.1 History traversal
        1. 7.8.1.1 The PopStateEvent interface
        2. 7.8.1.2 The HashChangeEvent interface
        3. 7.8.1.3 The PageTransitionEvent interface
      2. 7.8.2 Unloading documents
        1. 7.8.2.1 The BeforeUnloadEvent interface
      3. 7.8.3 The `X-Frame-Options` header

7.8 Browsing the web

7.8.1 History traversal

7.8.1.1 The PopStateEvent interface
event . state

Returns a copy of the information that was provided to pushState() or replaceState().

7.8.1.2 The HashChangeEvent interface

HashChangeEvent

Support in all current engines.

Firefox3.6+Safari5+Chrome5+
Opera10.6+Edge79+
Edge (Legacy)12+Internet Explorer8+
Firefox Android4+Safari iOS5+Chrome AndroidYesWebView AndroidYesSamsung InternetYesOpera Android11+
caniuse.com table
event . oldURL

HashChangeEvent/oldURL

Support in all current engines.

Firefox6+SafariYesChromeYes
OperaYesEdgeYes
Edge (Legacy)12+Internet ExplorerNo
Firefox AndroidYesSafari iOSYesChrome AndroidYesWebView AndroidYesSamsung InternetYesOpera AndroidYes

Returns the URL of the session history entry that was previously current.

event . newURL

HashChangeEvent/newURL

Support in all current engines.

Firefox6+SafariYesChromeYes
OperaYesEdgeYes
Edge (Legacy)12+Internet ExplorerNo
Firefox AndroidYesSafari iOSYesChrome AndroidYesWebView AndroidYesSamsung InternetYesOpera AndroidYes

Returns the URL of the session history entry that is now current.

7.8.1.3 The PageTransitionEvent interface

PageTransitionEvent

Support in all current engines.

FirefoxYesSafariYesChromeYes
OperaYesEdgeYes
Edge (Legacy)12+Internet ExplorerYes
Firefox AndroidYesSafari iOSYesChrome AndroidYesWebView AndroidYesSamsung InternetYesOpera AndroidYes
event . persisted

PageTransitionEvent/persisted

Support in all current engines.

FirefoxYesSafariYesChromeYes
OperaYesEdgeYes
Edge (Legacy)12+Internet Explorer11
Firefox AndroidYesSafari iOSYesChrome AndroidYesWebView AndroidYesSamsung InternetYesOpera AndroidYes

For the pageshow event, returns false if the page is newly being loaded (and the load event will fire). Otherwise, returns true.

For the pagehide event, returns false if the page is going away for the last time. Otherwise, returns true, meaning that (if nothing conspires to make the page unsalvageable) the page might be reused if the user navigates back to this page.

Things that can cause the page to be unsalvageable include:

7.8.2 Unloading documents

7.8.2.1 The BeforeUnloadEvent interface

BeforeUnloadEvent

Support in all current engines.

Firefox1.5+SafariYesChromeYes
OperaYesEdgeYes
Edge (Legacy)12+Internet ExplorerYes
Firefox Android4+Safari iOSYesChrome AndroidYesWebView AndroidYesSamsung InternetYesOpera AndroidYes

There are no BeforeUnloadEvent-specific initialization methods.

The BeforeUnloadEvent interface is a legacy interface which allows prompting to unload to be controlled not only by canceling the event, but by setting the returnValue attribute to a value besides the empty string. Authors should use the preventDefault() method, or other means of canceling events, instead of using returnValue.

7.8.3 The `X-Frame-Options` header

The `X-Frame-Options` HTTP response header is a legacy way of controlling whether and how a Document may be loaded inside of a child browsing context. It is obsoleted by the frame-ancestors CSP directive, which provides more granular control over the same situations. It was originally defined in HTTP Header Field X-Frame-Options, but the definition here supersedes that document. [CSP] [RFC7034]

In particular, HTTP Header Field X-Frame-Options specified an `ALLOW-FROM` variant of the header, but that is not to be implemented.

If both a CSP frame-ancestors directive and an `X-Frame-Options` header are used in the same response, then `X-Frame-Options` is ignored.

For web developers and conformance checkers, its value ABNF is:

X-Frame-Options = "DENY" / "SAMEORIGIN"

The following table illustrates the processing of various values for the header, including non-conformant ones:

`X-Frame-Options`ValidResult
`DENY`embedding disallowed
`SAMEORIGIN`same-origin embedding allowed
`INVALID`embedding allowed
`ALLOWALL`embedding allowed
`ALLOW-FROM=https://example.com/`embedding allowed (from anywhere)

The following table illustrates how various non-conformant cases involving multiple values are processed:

`X-Frame-Options`Result
`SAMEORIGIN, SAMEORIGIN`same-origin embedding allowed
`SAMEORIGIN, DENY`embedding disallowed
`SAMEORIGIN,`embedding disallowed
`SAMEORIGIN, ALLOWALL`embedding disallowed
`SAMEORIGIN, INVALID`embedding disallowed
`ALLOWALL, INVALID`embedding disallowed
`ALLOWALL,`embedding disallowed
`INVALID, INVALID`embedding allowed

The same results are obtained whether the values are delivered in a single header whose value is comma-delimited, or in multiple headers.