W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

webappsec-ISSUE-48 (base uri): injection of a <base> tag to change effective location of relative resources [CSP 1.1]

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Thu, 25 Apr 2013 19:25:58 +0000
Message-Id: <E1UVRnq-000382-3s@nelson.w3.org>
To: public-webappsec@w3.org
webappsec-ISSUE-48 (base uri): injection of a <base> tag to change effective location of relative resources [CSP 1.1]

http://www.w3.org/2011/webappsec/track/issues/48

Raised by: Brad Hill
On product: CSP 1.1

Questions:

  1. how many sites are vulnerable to this?
  2. how many sites currently set both an explicit base and use CSP?
  3. how common generally is the use of base?

probably most common on static sites that may have been moved from one location to another (a way to avoid fixup of all links)

If breakage is minimal, setting CSP at all might imply that <base> is ignored unless whitelisted in the policy.  
Received on Thursday, 25 April 2013 19:26:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC