[whatwg] <base> in <body>

On Wed, 20 Jul 2011 16:54:25 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 7/20/11 4:54 AM, Anne van Kesteren wrote:
>> On Wed, 20 Jul 2011 05:07:05 +0200, Boris Zbarsky <bzbarsky at mit.edu>  
>> wrote:
>>> That said, I'm not sure I understand the security concern. What kind
>>> of whitelist-based filter would let through <script>s whose URIs it
>>> does not control, exactly? Can the security concern be mitigated by
>>> only allowing <base> outside <head> if the base URI it sets is
>>> same-origin with the document?
>>
>> The <script> is from the page itself and uses a relative URL. The <base>
>> is inserted by the attacker and causes the script to be requested from a
>> server under the attacker's control.
>
> OK, thanks.  That was about the only threat model I could think of  
> here...
>
> It sounds like my proposal above would mitigate this threat, yes?

Yes.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Wednesday, 20 July 2011 07:59:31 UTC