[whatwg] <base> in <body>

Boris Zbarsky bzbarsky at MIT.EDU
Tue Jul 19 20:07:05 PDT 2011


On 7/19/11 9:12 PM, Ian Hickson wrote:
> Would other browser vendors be willing to change to only look at<base
> href>  in<head>?

Gecko used to implement that back when the spec said it.

This caused site compat issues.  See 
https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin 
outside the US being broken) and 
https://bugzilla.mozilla.org/show_bug.cgi?id=592880 (hyperlatex output 
being broken) for example.

The latter explicitly mentions that hyperlatex output is broken in 
recent IE versions.

The former depends on the parsing behavior of IE you describe so is not 
a problem in IE9-.  See 
https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7

On the other hand, this change would fix CA Unicenter 
(https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two 
duplicates), I think.

So I guess it comes down to what set of sites we want to break here.... 
  Do other UA vendors have any data on the matter?

That said, I'm not sure I understand the security concern.  What kind of 
whitelist-based filter would let through <script>s whose URIs it does 
not control, exactly?  Can the security concern be mitigated by only 
allowing <base> outside <head> if the base URI it sets is same-origin 
with the document?

-Boris



More information about the whatwg mailing list