On 7/20/11 4:54 AM, Anne van Kesteren wrote:
On Wed, 20 Jul 2011 05:07:05 +0200, Boris Zbarsky <bzbar...@mit.edu> wrote:
That said, I'm not sure I understand the security concern. What kind
of whitelist-based filter would let through <script>s whose URIs it
does not control, exactly? Can the security concern be mitigated by
only allowing <base> outside <head> if the base URI it sets is
same-origin with the document?
The <script> is from the page itself and uses a relative URL. The <base>
is inserted by the attacker and causes the script to be requested from a
server under the attacker's control.
OK, thanks. That was about the only threat model I could think of here...
It sounds like my proposal above would mitigate this threat, yes?
-Boris
