W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: webappsec-ISSUE-48 (base uri): injection of a <base> tag to change effective location of relative resources [CSP 1.1]

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 26 Apr 2013 11:07:06 +0100
Message-ID: <CADnb78j1Dmtv=V_djCJuxBnBL=pt5G-_1-QBW-ZH-e9ZAPi3Ng@mail.gmail.com>
To: Web Application Security Working Group <public-webappsec@w3.org>
On Thu, Apr 25, 2013 at 8:25 PM, Web Application Security Working
Group Issue Tracker <sysbot+tracker@w3.org> wrote:
> If breakage is minimal, setting CSP at all might imply that <base> is ignored unless whitelisted in the policy.

In XML (and in HTML via script), xml:base can affect a bunch of URLs
as well (not quite as much as <base> though). Should CSP take that
into account?

Received on Friday, 26 April 2013 10:07:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC