- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 20 Jul 2011 01:12:19 +0000 (UTC)
IE7 and up, in both quirks and non-quirks modes, ignores <base href> in the <body> of a page. This is intended to protect against a situation where a whitelist-based content filter disallows all scripts but does not disallow <base>, and the page contains a relative URL in a <script> after an area of the page under attacker control. Would other browser vendors be willing to change to only look at <base href> in <head>? The change to the spec would just be changing this step in the "document base URL" definition: 4. If there is no base element that has an href attribute, then the document base URL is fallback base url; abort these steps. Otherwise, let url be the value of the href attribute of the first such element. ...to limit the search just to children of the <head> element. Note that there is a compatibility risk, in that IE7-9 parse certain elements into the <head> where the HTML parser spec does not. For example: <!DOCTYPE HTML> <html> <head> <title>Demo</title> </head> <!-- implied <body> --> <form> <input type=hidden> <base href=""> ...will end up with the <head> element containing a <form> element that itself contains the <base> element. IE10 parses this like other browsers, so it would be affected by the same compatibility concern. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 19 July 2011 18:12:19 UTC