[whatwg] <base> in <body>
Jonas Sicking
jonas at sicking.cc
Wed Jul 20 10:02:51 PDT 2011
On Tue, Jul 19, 2011 at 8:07 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 7/19/11 9:12 PM, Ian Hickson wrote:
>>
>> Would other browser vendors be willing to change to only look at<base
>> href> in<head>?
>
> Gecko used to implement that back when the spec said it.
>
> This caused site compat issues. See
> https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin outside
> the US being broken) and https://bugzilla.mozilla.org/show_bug.cgi?id=592880
> (hyperlatex output being broken) for example.
>
> The latter explicitly mentions that hyperlatex output is broken in recent IE
> versions.
>
> The former depends on the parsing behavior of IE you describe so is not a
> problem in IE9-. See https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7
>
> On the other hand, this change would fix CA Unicenter
> (https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two
> duplicates), I think.
>
> So I guess it comes down to what set of sites we want to break here.... Do
> other UA vendors have any data on the matter?
>
> That said, I'm not sure I understand the security concern. What kind of
> whitelist-based filter would let through <script>s whose URIs it does not
> control, exactly? Can the security concern be mitigated by only allowing
> <base> outside <head> if the base URI it sets is same-origin with the
> document?
Ugh, I'd really hate to introduce such inconsistencies though.
/ Jonas
More information about the whatwg
mailing list