New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 679318 link

Starred by 6 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Feb 2017
Cc:
a...@google.com
mkwst@chromium.org
elawrence@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug

Blocking:
issue 680418



Sign in to add a comment

Restrict `<base>` to ~sane values.

Project Member Reported by mkwst@chromium.org, Jan 9 2017 
`<base href="data:/,-alert(1)/">` works just fine in Chrome, which is strange indeed. If the discussion at https://github.com/whatwg/html/issues/2249 goes in a reasonable direction, we should change our behavior to match.

Comment 1 by mkwst@chromium.org, Jan 12 2017

Blocking: 680418
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/80883f862b84159e61a786edc04f5159afcb1267

commit 80883f862b84159e61a786edc04f5159afcb1267
Author: mkwst <mkwst@chromium.org>
Date: Thu Jan 12 21:37:26 2017

Add some <base> metrics to guide experimentation.

<base> has cropped up in some recent attacks, and maybe it's possible to
tweak things a little bit to make it play better with the platform at
large. Let's find out, shall we?

BUG= 679318 

Review-Url: https://codereview.chromium.org/2626243002
Cr-Commit-Position: refs/heads/master@{#443370}

[modify] https://crrev.com/80883f862b84159e61a786edc04f5159afcb1267/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/80883f862b84159e61a786edc04f5159afcb1267/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/80883f862b84159e61a786edc04f5159afcb1267/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/80883f862b84159e61a786edc04f5159afcb1267/tools/metrics/histograms/histograms.xml
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 9 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/60e243955ccc6ac466c074d812ae406dec337fe3

commit 60e243955ccc6ac466c074d812ae406dec337fe3
Author: mkwst <mkwst@chromium.org>
Date: Thu Feb 09 11:57:01 2017

'data:' may not be used as a document's base URL.

Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/TsBB5GOpMZA/AAE_Sb_HBwAJ
Spec: https://github.com/whatwg/html/issues/2249

BUG= 679318 

Review-Url: https://codereview.chromium.org/2685843003
Cr-Commit-Position: refs/heads/master@{#449262}

[modify] https://crrev.com/60e243955ccc6ac466c074d812ae406dec337fe3/third_party/WebKit/LayoutTests/external/wpt/MANIFEST.json
[add] https://crrev.com/60e243955ccc6ac466c074d812ae406dec337fe3/third_party/WebKit/LayoutTests/external/wpt/html/semantics/document-metadata/the-base-element/base_href_data.html
[modify] https://crrev.com/60e243955ccc6ac466c074d812ae406dec337fe3/third_party/WebKit/LayoutTests/fast/url/relative-expected.txt
[modify] https://crrev.com/60e243955ccc6ac466c074d812ae406dec337fe3/third_party/WebKit/LayoutTests/fast/url/script-tests/relative.js
[delete] https://crrev.com/eb73e4330ecb59905157b11ce20ca29345d9635e/third_party/WebKit/LayoutTests/fast/url/script-tests/segments-from-data-url.js
[delete] https://crrev.com/eb73e4330ecb59905157b11ce20ca29345d9635e/third_party/WebKit/LayoutTests/fast/url/segments-from-data-url.html
[modify] https://crrev.com/60e243955ccc6ac466c074d812ae406dec337fe3/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/60e243955ccc6ac466c074d812ae406dec337fe3/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp

Comment 4 by mkwst@chromium.org, Feb 14 2017

Status: Fixed (was: Assigned)

Comment 5 by mkwst@chromium.org, Feb 14 2017

Cc: a...@google.com mkwst@chromium.org elawrence@chromium.org
 Issue 689412  has been merged into this issue.

Sign in to add a comment