Forbid data: and javascript: URLs in <base>
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox127 | --- | fixed |
People
(Reporter: annevk, Assigned: tschuster, NeedInfo)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, reporter-external, sec-want, Whiteboard: [adv-main127-])
Attachments
(1 file)
HTML change: https://github.com/whatwg/html/pull/9665.
Tests: https://github.com/web-platform-tests/wpt/pull/41731.
Comment 1•1 year ago
|
||
See https://github.com/whatwg/html/issues/2249#issuecomment-1700567077 for the motivation. In particular, when we align with the URL standard and allow data:
as base URLs in general (part of Interop 2023 URL focus area), sites that allow injecting <base href="data:...>
(but not http/https) would be vulnerable to XSS.
Comment 2•1 year ago
|
||
MDN docs note:
- Docs for this feature done (track here).
- BCD for Chrome/Safari done in https://github.com/mdn/browser-compat-data/pull/20646
- Dynamic case -
HTMLBaseElement
- not yet supported by anyone. - When this goes in, the change will be a BCD update.
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Comment 4•6 months ago
|
||
Tom: Given that this is going to be a useful baseline for the Sanitizer API to build upon (like the <svg><use href="data:..."
change that you also implemented), is this something you can take a look at?
Assignee | ||
Updated•6 months ago
|
Assignee | ||
Comment 5•5 months ago
|
||
Updated•5 months ago
|
Comment 7•5 months ago
|
||
bugherder |
Comment 8•5 months ago
•
|
||
FF127 Docs work for this can be tracked in https://github.com/mdn/content/issues/33566
-
The spec that if a javascript or data URL is used in the base element that URL is discarded and the document fallback base URL is used. What is that URL?
The spec seems to indicate it is the parent document URL for an iframe. Testing indicates it is the
location.url
for the loaded document - i.e. it falls back to the actual loaded location if you don't specify it in a base element. Can you clarify/confirm? -
Above it says
Dynamic case - HTMLBaseElement`` - not yet supported by anyone.
Is that still correct?
Assignee | ||
Comment 9•5 months ago
|
||
-
The fallback base URL algorithm is specified here: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#fallback-base-url. I think only for the about base URL case this might be the parent's URL.
-
Judging from this WPT Safari (and Firefox) support it.
Updated•4 months ago
|
Comment 10•4 months ago
|
||
Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons
Updated•4 months ago
|
Description
•