[whatwg] <base> in <body>

On Tue, Jul 19, 2011 at 8:07 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 7/19/11 9:12 PM, Ian Hickson wrote:
>>
>> Would other browser vendors be willing to change to only look at<base
>> href> ?in<head>?
>
> Gecko used to implement that back when the spec said it.
>
> This caused site compat issues. ?See
> https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin outside
> the US being broken) and https://bugzilla.mozilla.org/show_bug.cgi?id=592880
> (hyperlatex output being broken) for example.
>
> The latter explicitly mentions that hyperlatex output is broken in recent IE
> versions.
>
> The former depends on the parsing behavior of IE you describe so is not a
> problem in IE9-. ?See https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7
>
> On the other hand, this change would fix CA Unicenter
> (https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two
> duplicates), I think.
>
> So I guess it comes down to what set of sites we want to break here.... ?Do
> other UA vendors have any data on the matter?
>
> That said, I'm not sure I understand the security concern. ?What kind of
> whitelist-based filter would let through <script>s whose URIs it does not
> control, exactly? ?Can the security concern be mitigated by only allowing
> <base> outside <head> if the base URI it sets is same-origin with the
> document?

Ugh, I'd really hate to introduce such inconsistencies though.

/ Jonas

Received on Wednesday, 20 July 2011 10:02:51 UTC