[whatwg] <base> in <body>

Jonas Sicking jonas at sicking.cc
Wed Jul 20 10:02:51 PDT 2011


On Tue, Jul 19, 2011 at 8:07 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 7/19/11 9:12 PM, Ian Hickson wrote:
>>
>> Would other browser vendors be willing to change to only look at<base
>> href>  in<head>?
>
> Gecko used to implement that back when the spec said it.
>
> This caused site compat issues.  See
> https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin outside
> the US being broken) and https://bugzilla.mozilla.org/show_bug.cgi?id=592880
> (hyperlatex output being broken) for example.
>
> The latter explicitly mentions that hyperlatex output is broken in recent IE
> versions.
>
> The former depends on the parsing behavior of IE you describe so is not a
> problem in IE9-.  See https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7
>
> On the other hand, this change would fix CA Unicenter
> (https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two
> duplicates), I think.
>
> So I guess it comes down to what set of sites we want to break here....  Do
> other UA vendors have any data on the matter?
>
> That said, I'm not sure I understand the security concern.  What kind of
> whitelist-based filter would let through <script>s whose URIs it does not
> control, exactly?  Can the security concern be mitigated by only allowing
> <base> outside <head> if the base URI it sets is same-origin with the
> document?

Ugh, I'd really hate to introduce such inconsistencies though.

/ Jonas



More information about the whatwg mailing list