[whatwg] <base> in <body>

IE7 and up, in both quirks and non-quirks modes, ignores <base href> in 
the <body> of a page. This is intended to protect against a situation 
where a whitelist-based content filter disallows all scripts but does not 
disallow <base>, and the page contains a relative URL in a <script> after 
an area of the page under attacker control.

Would other browser vendors be willing to change to only look at <base 
href> in <head>?

The change to the spec would just be changing this step in the "document 
base URL" definition:

4. If there is no base element that has an href attribute, then the 
   document base URL is fallback base url; abort these steps. Otherwise, 
   let url be the value of the href attribute of the first such element.

...to limit the search just to children of the <head> element.

Note that there is a compatibility risk, in that IE7-9 parse certain 
elements into the <head> where the HTML parser spec does not. For example:

   <!DOCTYPE HTML>
   <html>
    <head>
     <title>Demo</title>
    </head>
    <!-- implied <body> -->
     <form>
      <input type=hidden>
      <base href="">

...will end up with the <head> element containing a <form> element that 
itself contains the <base> element.

IE10 parses this like other browsers, so it would be affected by the same 
compatibility concern.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 19 July 2011 18:12:19 UTC