Closed Bug 1850967 Opened 11 months ago Closed 3 months ago

Forbid data: and javascript: URLs in <base>

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox127 --- fixed

People

(Reporter: annevk, Assigned: tschuster, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, reporter-external, sec-want, Whiteboard: [adv-main127-])

Attachments

(1 file)

Bug 1850967 - Forbid data: and javascript: URLs in <base>. r?emilio
48 bytes, text/x-phabricator-request
Details | Review

See https://github.com/whatwg/html/issues/2249#issuecomment-1700567077 for the motivation. In particular, when we align with the URL standard and allow data: as base URLs in general (part of Interop 2023 URL focus area), sites that allow injecting <base href="data:...> (but not http/https) would be vulnerable to XSS.

MDN docs note:

Keywords: dev-doc-needed
Severity: -- → S3
Blocks: html
Keywords: sec-want

NI myself to take a look

Flags: needinfo?(sefeng)

Tom: Given that this is going to be a useful baseline for the Sanitizer API to build upon (like the <svg><use href="data:..." change that you also implemented), is this something you can take a look at?

Flags: needinfo?(tschuster)
Assignee: nobody → tschuster
Flags: needinfo?(tschuster)
Attachment #9399969 - Attachment description: WIP: Bug 1850967 - Forbid data: and javascript: URLs in <base>. → Bug 1850967 - Forbid data: and javascript: URLs in <base>. r?emilio
Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d50469219667
Forbid data: and javascript: URLs in <base>. r=emilio

https://hg.mozilla.org/mozilla-central/rev/d50469219667

Status: NEW → RESOLVED
Closed: 3 months ago
status-firefox127: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch

FF127 Docs work for this can be tracked in https://github.com/mdn/content/issues/33566

  1. The spec that if a javascript or data URL is used in the base element that URL is discarded and the document fallback base URL is used. What is that URL?

    The spec seems to indicate it is the parent document URL for an iframe. Testing indicates it is the location.url for the loaded document - i.e. it falls back to the actual loaded location if you don't specify it in a base element. Can you clarify/confirm?

  2. Above it says

    Dynamic case - HTMLBaseElement`` - not yet supported by anyone.

    Is that still correct?

Flags: needinfo?(tschuster)

  1. The fallback base URL algorithm is specified here: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#fallback-base-url. I think only for the about base URL case this might be the parent's URL.

  2. Judging from this WPT Safari (and Firefox) support it.

Flags: needinfo?(tschuster)
Keywords: dev-doc-neededdev-doc-complete

Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons

Keywords: reporter-external
Whiteboard: [adv-main127-]
You need to log in before you can comment on or make changes to this bug.