- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 20 Jul 2011 10:02:51 -0700
On Tue, Jul 19, 2011 at 8:07 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 7/19/11 9:12 PM, Ian Hickson wrote: >> >> Would other browser vendors be willing to change to only look at<base >> href> ?in<head>? > > Gecko used to implement that back when the spec said it. > > This caused site compat issues. ?See > https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin outside > the US being broken) and https://bugzilla.mozilla.org/show_bug.cgi?id=592880 > (hyperlatex output being broken) for example. > > The latter explicitly mentions that hyperlatex output is broken in recent IE > versions. > > The former depends on the parsing behavior of IE you describe so is not a > problem in IE9-. ?See https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7 > > On the other hand, this change would fix CA Unicenter > (https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two > duplicates), I think. > > So I guess it comes down to what set of sites we want to break here.... ?Do > other UA vendors have any data on the matter? > > That said, I'm not sure I understand the security concern. ?What kind of > whitelist-based filter would let through <script>s whose URIs it does not > control, exactly? ?Can the security concern be mitigated by only allowing > <base> outside <head> if the base URI it sets is same-origin with the > document? Ugh, I'd really hate to introduce such inconsistencies though. / Jonas
Received on Wednesday, 20 July 2011 10:02:51 UTC