On 7/19/11 9:12 PM, Ian Hickson wrote:
Would other browser vendors be willing to change to only look at<base
href> in<head>?
Gecko used to implement that back when the spec said it.
This caused site compat issues. See
https://bugzilla.mozilla.org/show_bug.cgi?id=593807 (United checkin
outside the US being broken) and
https://bugzilla.mozilla.org/show_bug.cgi?id=592880 (hyperlatex output
being broken) for example.
The latter explicitly mentions that hyperlatex output is broken in
recent IE versions.
The former depends on the parsing behavior of IE you describe so is not
a problem in IE9-. See
https://bugzilla.mozilla.org/show_bug.cgi?id=593807#c7
On the other hand, this change would fix CA Unicenter
(https://bugzilla.mozilla.org/show_bug.cgi?id=627361 and its two
duplicates), I think.
So I guess it comes down to what set of sites we want to break here....
Do other UA vendors have any data on the matter?
That said, I'm not sure I understand the security concern. What kind of
whitelist-based filter would let through <script>s whose URIs it does
not control, exactly? Can the security concern be mitigated by only
allowing <base> outside <head> if the base URI it sets is same-origin
with the document?
-Boris
