W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] <base> in <body>

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 19 Jul 2011 23:07:05 -0400
Message-ID: <4E264659.3040004@mit.edu>
On 7/19/11 9:12 PM, Ian Hickson wrote:
> Would other browser vendors be willing to change to only look at<base
> href>  in<head>?

Gecko used to implement that back when the spec said it.

This caused site compat issues.  See 
https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin 
outside the US being broken) and 
https://bugzilla.mozilla.org/show_bug.cgi?id=592880 (hyperlatex output 
being broken) for example.

The latter explicitly mentions that hyperlatex output is broken in 
recent IE versions.

The former depends on the parsing behavior of IE you describe so is not 
a problem in IE9-.  See 
https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7

On the other hand, this change would fix CA Unicenter 
(https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two 
duplicates), I think.

So I guess it comes down to what set of sites we want to break here.... 
  Do other UA vendors have any data on the matter?

That said, I'm not sure I understand the security concern.  What kind of 
whitelist-based filter would let through <script>s whose URIs it does 
not control, exactly?  Can the security concern be mitigated by only 
allowing <base> outside <head> if the base URI it sets is same-origin 
with the document?

-Boris
Received on Tuesday, 19 July 2011 20:07:05 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC