W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] <base> in <body>

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 20 Jul 2011 10:54:55 +0200
Message-ID: <op.vywtptlc64w2qv@annevk-macbookpro.local>
On Wed, 20 Jul 2011 05:07:05 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> That said, I'm not sure I understand the security concern.  What kind of  
> whitelist-based filter would let through <script>s whose URIs it does  
> not control, exactly?  Can the security concern be mitigated by only  
> allowing <base> outside <head> if the base URI it sets is same-origin  
> with the document?

The <script> is from the page itself and uses a relative URL. The <base>  
is inserted by the attacker and causes the script to be requested from a  
server under the attacker's control.

Anne van Kesteren
Received on Wednesday, 20 July 2011 01:54:55 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:34 UTC