[whatwg] <base> in <body>
Anne van Kesteren
annevk at opera.com
Wed Jul 20 01:54:55 PDT 2011
On Wed, 20 Jul 2011 05:07:05 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> That said, I'm not sure I understand the security concern. What kind of
> whitelist-based filter would let through <script>s whose URIs it does
> not control, exactly? Can the security concern be mitigated by only
> allowing <base> outside <head> if the base URI it sets is same-origin
> with the document?
The <script> is from the page itself and uses a relative URL. The <base>
is inserted by the attacker and causes the script to be requested from a
server under the attacker's control.
--
Anne van Kesteren
http://annevankesteren.nl/
More information about the whatwg
mailing list