Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding a type for base.href #172

Closed
koto opened this issue May 15, 2019 · 3 comments
Closed

Consider adding a type for base.href #172

koto opened this issue May 15, 2019 · 3 comments
Labels
future In consideration for the future releases of the API polyfill spec
Milestone
v2

Comments

@koto
Copy link
Member

koto commented May 15, 2019

Extracted from #152:

@briansmith:

I expect that most people who would use Trusted Types don't want <base> to be used at all and so it should be easy to implement the equivalent of CSP base-uri 'none' (and maybe base-uri 'self') in a Trusted-Types policy. This makes me think that base URLs shouldn't have the same type as other URLs.

Currently the base URL requires TrustedScriptURL due to it being more powerful than TrustedURL, but it has some unique capabilities which is to change the meaning of other TrustedScriptURL and TrustedURL instances.
@koto koto mentioned this issue May 15, 2019
Closed
@mikesamuel
Copy link
Collaborator 

<base href="javascript:alert(1)//">
<a href="#">link</a>
<br>
<script>
const { href } = document.querySelector('a');
document.body.appendChild(document.createTextNode(href))
</script>

Firefox and Safari show the href as javascript:alert(1)//#. Chrome rejects the <base>.

@koto
Copy link
Member Author

koto commented May 15, 2019
edited

Chrome disallows javascript: base URLs (http://crbug.com/679318), other browsers don't follow that behavior: whatwg/html#2249.

The issue though is mostly about changing the meaning of relative URLs, rather than javascript: prefix in specific. Changing script URLs to point to a different host would be equally bad.

@koto koto added this to the v1 milestone Jun 24, 2019
@koto koto added the spec label Jun 24, 2019
@mikesamuel
Copy link
Collaborator

In Google internal code, we allow deriving a TrustedScriptURL from a TrustedScriptURL by adding query parameters or changing the hash.

That seems similar to the consequences of <base href>

@koto koto added the polyfill label Jul 11, 2019
@koto koto added the future In consideration for the future releases of the API label Mar 6, 2020
@koto koto modified the milestones: v1, v2 Mar 6, 2020
@koto koto closed this as completed Jan 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
future In consideration for the future releases of the API polyfill spec
Projects
None yet
Milestone
v2
Development

No branches or pull requests
2 participants
@koto @mikesamuel