[whatwg] <base> elements security issue

Ian Hickson ian at hixie.ch
Thu Dec 15 15:21:14 PST 2011 

On Wed, 11 May 2011, Boris Zbarsky wrote:
> On 5/11/11 3:28 AM, Henri Sivonen wrote:
> > Not citing specific real site breakage, though. The problem is that 
> > Gecko re-resolves existing images when the base URI of the documnet 
> > changes.
> 
> Uh... it does?  News to me!

On Fri, 13 May 2011, Henri Sivonen wrote:
> 
> I could be misinterpreting the result, but it looks like it from 
> black-box observation.

I can't reproduce that:

   http://software.hixie.ch/utilities/js/live-dom-viewer/saved/1281

Do you have a test showing what you mean?


On Tue, 19 Jul 2011, Boris Zbarsky wrote:
> On 7/19/11 9:12 PM, Ian Hickson wrote:
> > Would other browser vendors be willing to change to only look at<base
> > href>  in<head>?
> 
> Gecko used to implement that back when the spec said it.
> 
> This caused site compat issues.  See
> https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin outside
> the US being broken) and https://bugzilla.mozilla.org/show_bug.cgi?id=592880
> (hyperlatex output being broken) for example.
> 
> The latter explicitly mentions that hyperlatex output is broken in recent IE
> versions.
> 
> The former depends on the parsing behavior of IE you describe so is not a
> problem in IE9-.  See https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7
> 
> On the other hand, this change would fix CA Unicenter
> (https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two duplicates),
> I think.
> 
> So I guess it comes down to what set of sites we want to break here....  Do
> other UA vendors have any data on the matter?

Since despite this security risk being known for a few months nobody has 
rushed to change this behaviour, and all the browsers except IE still seem 
to honour <base> in <body>, I've left the spec as is and just added a 
warning to the section that talks about XSS.


On Tue, 19 Jul 2011, Boris Zbarsky wrote:
> 
> That said, I'm not sure I understand the security concern.  What kind of 
> whitelist-based filter would let through <script>s whose URIs it does 
> not control, exactly? 

On Wed, 20 Jul 2011, Anne van Kesteren wrote:
> 
> The <script> is from the page itself and uses a relative URL. The <base> 
> is inserted by the attacker and causes the script to be requested from a 
> server under the attacker's control.

On Tue, 19 Jul 2011, Boris Zbarsky wrote:
>
> Can the security concern be mitigated by only 
> allowing <base> outside <head> if the base URI it sets is same-origin 
> with the document?

That seems a bit overly-complicated, though it would certainly make the 
issue less serious.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list