Chrome Version: 62 canary
OS: All but iOS
What steps will reproduce the problem?
(1) Load the following HTML:
<script>
function jsfuzzer() {
var doc = document.querySelector('iframe').contentDocument;
document.querySelector('iframe').remove();
doc.body.innerHTML = '<base href="relative/">';
alert(doc.baseURI);
}
</script>
<body onload=jsfuzzer()>
<iframe></iframe>
What is the expected result?
A dialog with a URL relative/ relative to the document URL is shown.
What happens instead?
A dialog with about:blank is shown.
Please use labels and text to provide additional information.
Our current implementation is:
KURL Document::FallbackBaseURL() const {
if (IsSrcdocDocument())
return ParentDocument()->BaseURL();
if (urlForBinding().IsAboutBlankURL()) {
if (context_document_)
return context_document_->BaseURL();
if (Document* parent = ParentDocument())
return parent->BaseURL();
}
return urlForBinding();
}
Specification:
https://html.spec.whatwg.org/multipage/urls-and-fetching.html#fallback-base-url
> 1. If document is an iframe srcdoc document, then return the document base URL of document's browsing context's browsing context container's node document.
> 2. If document's URL is about:blank, and document's browsing context has a creator browsing context, then return the creator base URL.
Two |ParentDocument()| for srcdoc and about:balnk are not correct. ParentDocument() becomes nullptr after frame detaching. The specification looks to ask keeping creator information.
Edge works correctly. Firefox looks to apply step 3 for detached IFRAMEs.
Comment 1 by tkent@chromium.org
, Aug 2 2017Summary: Fallback base URL implementation might be incorrect (was: Fallback base URL implementation is incomplete)