- From: Mark Callow <callow_mark@hicorp.co.jp>
- Date: Fri, 22 Jul 2011 12:51:46 +0900
> On Wed, 20 Jul 2011 05:07:05 +0200, Boris Zbarsky <bzbarsky at mit.edu> > wrote: >> That said, I'm not sure I understand the security concern. What kind >> of whitelist-based filter would let through <script>s whose URIs it >> does not control, exactly? Can the security concern be mitigated by >> only allowing <base> outside <head> if the base URI it sets is >> same-origin with the document? > > The <script> is from the page itself and uses a relative URL. The > <base> is inserted by the attacker and causes the script to be > requested from a server under the attacker's control. > > Seems like a bug in the whitelist filter to me. Shouldn't the filter be checking requests using the full URL just before they are dispatched? Regards -Mark
Received on Thursday, 21 July 2011 20:51:46 UTC