Summary: | BASE tag is allowed more than once and outside the <head> section | ||
---|---|---|---|
Product: | WebKit | Reporter: | eduardo vela <sirdarckcat> |
Component: | DOM | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED CONFIGURATION CHANGED | ||
Severity: | Normal | CC: | ahmad.saleem792, ap, bfulgham, cdumez, rniwa |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | PC | ||
OS: | All | ||
URL: | http://zaz.sirdarckcat.net/zaz |
Description
eduardo vela
2009-10-16 01:10:42 PDT
I should have reported this here instead of chromium: http://code.google.com/p/chromium/issues/detail?id=25017 And I also submitted a bug report for firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=522658 I want to add that this has security considerations, if an attacker is able to add a <base> tag in the middle of the source code, it may leak information to other domains. As implied by comment 1, we match Firefox here. We probably shouldn't change this unilaterally - but it's definitely something to keep an eye on. FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=515401 Apparently Gecko is fixing this WPT do have coverage for BASE tag multiple: https://wpt.fyi/results/html/semantics/document-metadata/the-base-element?label=master&label=experimental&aligned&view=subtest&q=base Safari TP 150 passes all tests, do we need to do something here? The test URL does not work and I tried to look into Wayback Archive but couldn't find as well. Appreciate if someone can comment and update the bug status accordingly or attached minimal test case (if needed). Thanks! Not sure if WPT covers everything that this bug talks about, but in my testing, all browsers agree now.
- When there are multiple BASE elements, only the first one is respected.
- BASE elements in BODY _are_ respected.
> I want to add that this has security considerations
I think that you are correct, but at this point, it's up to websites to prevent base element injection.
|