- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 19 Jul 2011 23:07:05 -0400
On 7/19/11 9:12 PM, Ian Hickson wrote: > Would other browser vendors be willing to change to only look at<base > href> in<head>? Gecko used to implement that back when the spec said it. This caused site compat issues. See https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin outside the US being broken) and https://bugzilla.mozilla.org/show_bug.cgi?id=592880 (hyperlatex output being broken) for example. The latter explicitly mentions that hyperlatex output is broken in recent IE versions. The former depends on the parsing behavior of IE you describe so is not a problem in IE9-. See https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7 On the other hand, this change would fix CA Unicenter (https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two duplicates), I think. So I guess it comes down to what set of sites we want to break here.... Do other UA vendors have any data on the matter? That said, I'm not sure I understand the security concern. What kind of whitelist-based filter would let through <script>s whose URIs it does not control, exactly? Can the security concern be mitigated by only allowing <base> outside <head> if the base URI it sets is same-origin with the document? -Boris
Received on Tuesday, 19 July 2011 20:07:05 UTC