[whatwg] <base> in <body>

> On Wed, 20 Jul 2011 05:07:05 +0200, Boris Zbarsky <bzbarsky at mit.edu>
> wrote:
>> That said, I'm not sure I understand the security concern.  What kind
>> of whitelist-based filter would let through <script>s whose URIs it
>> does not control, exactly?  Can the security concern be mitigated by
>> only allowing <base> outside <head> if the base URI it sets is
>> same-origin with the document?
>
> The <script> is from the page itself and uses a relative URL. The
> <base> is inserted by the attacker and causes the script to be
> requested from a server under the attacker's control.
>
>
Seems like a bug in the whitelist filter to me. Shouldn't the filter be
checking requests using the full URL just before they are dispatched?

Regards

    -Mark

Received on Thursday, 21 July 2011 20:51:46 UTC