[whatwg] <base> elements security issue
Ian Hickson
ian at hixie.ch
Thu Dec 15 15:21:14 PST 2011
On Wed, 11 May 2011, Boris Zbarsky wrote:
> On 5/11/11 3:28 AM, Henri Sivonen wrote:
> > Not citing specific real site breakage, though. The problem is that
> > Gecko re-resolves existing images when the base URI of the documnet
> > changes.
>
> Uh... it does? News to me!
On Fri, 13 May 2011, Henri Sivonen wrote:
>
> I could be misinterpreting the result, but it looks like it from
> black-box observation.
I can't reproduce that:
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/1281
Do you have a test showing what you mean?
On Tue, 19 Jul 2011, Boris Zbarsky wrote:
> On 7/19/11 9:12 PM, Ian Hickson wrote:
> > Would other browser vendors be willing to change to only look at<base
> > href> in<head>?
>
> Gecko used to implement that back when the spec said it.
>
> This caused site compat issues. See
> https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin outside
> the US being broken) and https://bugzilla.mozilla.org/show_bug.cgi?id=592880
> (hyperlatex output being broken) for example.
>
> The latter explicitly mentions that hyperlatex output is broken in recent IE
> versions.
>
> The former depends on the parsing behavior of IE you describe so is not a
> problem in IE9-. See https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7
>
> On the other hand, this change would fix CA Unicenter
> (https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two duplicates),
> I think.
>
> So I guess it comes down to what set of sites we want to break here.... Do
> other UA vendors have any data on the matter?
Since despite this security risk being known for a few months nobody has
rushed to change this behaviour, and all the browsers except IE still seem
to honour <base> in <body>, I've left the spec as is and just added a
warning to the section that talks about XSS.
On Tue, 19 Jul 2011, Boris Zbarsky wrote:
>
> That said, I'm not sure I understand the security concern. What kind of
> whitelist-based filter would let through <script>s whose URIs it does
> not control, exactly?
On Wed, 20 Jul 2011, Anne van Kesteren wrote:
>
> The <script> is from the page itself and uses a relative URL. The <base>
> is inserted by the attacker and causes the script to be requested from a
> server under the attacker's control.
On Tue, 19 Jul 2011, Boris Zbarsky wrote:
>
> Can the security concern be mitigated by only
> allowing <base> outside <head> if the base URI it sets is same-origin
> with the document?
That seems a bit overly-complicated, though it would certainly make the
issue less serious.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list