- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 20 Jul 2011 16:59:31 +0200
On Wed, 20 Jul 2011 16:54:25 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 7/20/11 4:54 AM, Anne van Kesteren wrote: >> On Wed, 20 Jul 2011 05:07:05 +0200, Boris Zbarsky <bzbarsky at mit.edu> >> wrote: >>> That said, I'm not sure I understand the security concern. What kind >>> of whitelist-based filter would let through <script>s whose URIs it >>> does not control, exactly? Can the security concern be mitigated by >>> only allowing <base> outside <head> if the base URI it sets is >>> same-origin with the document? >> >> The <script> is from the page itself and uses a relative URL. The <base> >> is inserted by the attacker and causes the script to be requested from a >> server under the attacker's control. > > OK, thanks. That was about the only threat model I could think of > here... > > It sounds like my proposal above would mitigate this threat, yes? Yes. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 20 July 2011 07:59:31 UTC