- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 20 Jul 2011 01:12:19 +0000 (UTC)
IE7 and up, in both quirks and non-quirks modes, ignores <base href> in
the <body> of a page. This is intended to protect against a situation
where a whitelist-based content filter disallows all scripts but does not
disallow <base>, and the page contains a relative URL in a <script> after
an area of the page under attacker control.
Would other browser vendors be willing to change to only look at <base
href> in <head>?
The change to the spec would just be changing this step in the "document
base URL" definition:
4. If there is no base element that has an href attribute, then the
document base URL is fallback base url; abort these steps. Otherwise,
let url be the value of the href attribute of the first such element.
...to limit the search just to children of the <head> element.
Note that there is a compatibility risk, in that IE7-9 parse certain
elements into the <head> where the HTML parser spec does not. For example:
<!DOCTYPE HTML>
<html>
<head>
<title>Demo</title>
</head>
<!-- implied <body> -->
<form>
<input type=hidden>
<base href="">
...will end up with the <head> element containing a <form> element that
itself contains the <base> element.
IE10 parses this like other browsers, so it would be affected by the same
compatibility concern.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 19 July 2011 18:12:19 UTC