1. 7.9 Browsing the web
      1. 7.9.1 History traversal
        1. 7.9.1.1 The PopStateEvent interface
        2. 7.9.1.2 The HashChangeEvent interface
        3. 7.9.1.3 The PageTransitionEvent interface
      2. 7.9.2 Unloading documents
        1. 7.9.2.1 The BeforeUnloadEvent interface
      3. 7.9.3 The `X-Frame-Options` header

7.9 Browsing the web

7.9.1 History traversal

7.9.1.1 The PopStateEvent interface

PopStateEvent

Support in all current engines.

Firefox4+Safari6+Chrome4+
Opera12.1+Edge79+
Edge (Legacy)12+Internet Explorer10+
Firefox Android4+Safari iOS6+Chrome Android18+WebView Android37+Samsung Internet1.0+Opera Android12.1+
event.state

Returns a copy of the information that was provided to pushState() or replaceState().

7.9.1.2 The HashChangeEvent interface

HashChangeEvent

Support in all current engines.

Firefox3.6+Safari5+Chrome5+
Opera10.6+Edge79+
Edge (Legacy)12+Internet Explorer8+
Firefox Android4+Safari iOS5+Chrome AndroidYesWebView Android37+Samsung InternetYesOpera Android11+
event.oldURL

Returns the URL of the session history entry that was previously current.

event.newURL

Returns the URL of the session history entry that is now current.

7.9.1.3 The PageTransitionEvent interface

PageTransitionEvent

Support in all current engines.

Firefox1.5+Safari5+Chrome4+
Opera15+Edge79+
Edge (Legacy)12+Internet Explorer11
Firefox Android4+Safari iOS4+Chrome Android18+WebView Android37+Samsung Internet1.0+Opera Android14+
event.persisted

For the pageshow event, returns false if the page is newly being loaded (and the load event will fire). Otherwise, returns true.

For the pagehide event, returns false if the page is going away for the last time. Otherwise, returns true, meaning that the page might be reused if the user navigates back to this page (if the Document's salvageable state stays true).

Things that can cause the page to be unsalvageable include:

7.9.2 Unloading documents

7.9.2.1 The BeforeUnloadEvent interface

BeforeUnloadEvent

Support in all current engines.

Firefox1.5+Safari7+Chrome30+
Opera17+Edge79+
Edge (Legacy)12+Internet Explorer4+
Firefox Android4+Safari iOS7+Chrome Android30+WebView Android37+Samsung Internet3.0+Opera Android18+

There are no BeforeUnloadEvent-specific initialization methods.

The BeforeUnloadEvent interface is a legacy interface which allows prompting to unload to be controlled not only by canceling the event, but by setting the returnValue attribute to a value besides the empty string. Authors should use the preventDefault() method, or other means of canceling events, instead of using returnValue.

7.9.3 The `X-Frame-Options` header

The `X-Frame-Options` HTTP response header is a legacy way of controlling whether and how a Document may be loaded inside of a child browsing context. It is obsoleted by the frame-ancestors CSP directive, which provides more granular control over the same situations. It was originally defined in HTTP Header Field X-Frame-Options, but the definition here supersedes that document. [CSP] [RFC7034]

In particular, HTTP Header Field X-Frame-Options specified an `ALLOW-FROM` variant of the header, but that is not to be implemented.

If both a CSP frame-ancestors directive and an `X-Frame-Options` header are used in the same response, then `X-Frame-Options` is ignored.

For web developers and conformance checkers, its value ABNF is:

X-Frame-Options = "DENY" / "SAMEORIGIN"

The following table illustrates the processing of various values for the header, including non-conformant ones:

`X-Frame-Options`ValidResult
`DENY`embedding disallowed
`SAMEORIGIN`same-origin embedding allowed
`INVALID`embedding allowed
`ALLOWALL`embedding allowed
`ALLOW-FROM=https://example.com/`embedding allowed (from anywhere)

The following table illustrates how various non-conformant cases involving multiple values are processed:

`X-Frame-Options`Result
`SAMEORIGIN, SAMEORIGIN`same-origin embedding allowed
`SAMEORIGIN, DENY`embedding disallowed
`SAMEORIGIN,`embedding disallowed
`SAMEORIGIN, ALLOWALL`embedding disallowed
`SAMEORIGIN, INVALID`embedding disallowed
`ALLOWALL, INVALID`embedding disallowed
`ALLOWALL,`embedding disallowed
`INVALID, INVALID`embedding allowed

The same results are obtained whether the values are delivered in a single header whose value is comma-delimited, or in multiple headers.