Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Remove userinfo from base_tag #437

wants to merge 1 commit into


None yet
5 participants

bduggan commented Jan 4, 2013

Hi again (re : github issue 436),

Here's a pull request to remove userinfo from the base_tag helper. This seems like a good security fix; putting userinfo inside a web page means credentials may not only be in caches but also some browsers (firefox 17) actually display the credentials as part of the link destination (on the bottom of the screen). Am happy to bring this up on the mailing list if you think more discussion is warranted.

thanks again


kraih commented Jan 4, 2013

What are the disadvantages of this change? And what is the helper used for these days, good URLs are generated with url_for and friends, wouldn't it make more sense to just deprecate it?

@kraih kraih closed this in 5e59bd9 Jan 4, 2013


bduggan commented Jan 4, 2013

I can't think of any disadvantages; putting credentials into a base tag seems like unexpected behavior.

But I think you're right, if every URL comes from url_for, link_to, etc, base_tag shouldn't be necessary. (I just noticed that url_for also explicitly removes userinfo https://github.com/kraih/mojo/blob/master/lib/Mojolicious/Controller.pm#L405

I can't think of a good reason not to deprecate it, though it may be convenient for those cases where url_for can't be used (e.g. generating vast numbers of links or dynamically generating them).

tianon commented Jan 7, 2013

How are URLs within Javascript files normally handled (especially with regards to AJAX/AJAJ calls)? We've been using base_tag for making this work properly, but would love to hear a better method.


jberger commented Jan 7, 2013

I typically write my pure javascript in separate files in terms of a function argument, then when called from the template I can use the url_for helper in the arguments. Of course this is just my take, but it makes things very simple for me.


marcusramberg commented Jan 7, 2013

You can easily calculate it based on the url of one of your loaded js
files. For instance :

var base_url =
$('script[src$="jquery.js"]').get(0).src.replace(//js/[^/]+$/, '');


On Mon, Jan 7, 2013 at 9:44 PM, Joel Berger notifications@github.comwrote:

I typically write my pure javascript in separate files in terms of a
function argumenthttps://github.com/jberger/Galileo/blob/master/lib/Galileo/files/public/galileo-edit.jsthen when called from the template, I can use the
url_for helper in the argumentshttps://github.com/jberger/Galileo/blob/master/lib/Galileo/files/templates/edit/edit_page.html.ep#L21

Reply to this email directly or view it on GitHubhttps://github.com/kraih/mojo/pull/437#issuecomment-11961959.

Marcus Ramberg
Chief Yak Shaver
Nordaaker Consulting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment