Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider adding a type for base.href #172

Open
koto opened this issue May 15, 2019 · 3 comments
Open

Consider adding a type for base.href #172

koto opened this issue May 15, 2019 · 3 comments
Labels
Milestone

Comments

@koto
Copy link
Member

@koto koto commented May 15, 2019

Extracted from #152:

@briansmith:

I expect that most people who would use Trusted Types don't want <base> to be used at all and so it should be easy to implement the equivalent of CSP base-uri 'none' (and maybe base-uri 'self') in a Trusted-Types policy. This makes me think that base URLs shouldn't have the same type as other URLs.

Currently the base URL requires TrustedScriptURL due to it being more powerful than TrustedURL, but it has some unique capabilities which is to change the meaning of other TrustedScriptURL and TrustedURL instances.

@mikesamuel

This comment has been minimized.

Copy link
Collaborator

@mikesamuel mikesamuel commented May 15, 2019

<base href="javascript:alert(1)//">
<a href="#">link</a>
<br>
<script>
const { href } = document.querySelector('a');
document.body.appendChild(document.createTextNode(href))
</script>

Firefox and Safari show the href as javascript:alert(1)//#. Chrome rejects the <base>.

@koto

This comment has been minimized.

Copy link
Member Author

@koto koto commented May 15, 2019

Chrome disallows javascript: base URLs (http://crbug.com/679318), other browsers don't follow that behavior: whatwg/html#2249.

The issue though is mostly about changing the meaning of relative URLs, rather than javascript: prefix in specific. Changing script URLs to point to a different host would be equally bad.

@koto koto added this to the v1 milestone Jun 24, 2019
@koto koto added the spec label Jun 24, 2019
@mikesamuel

This comment has been minimized.

Copy link
Collaborator

@mikesamuel mikesamuel commented Jul 3, 2019

In Google internal code, we allow deriving a TrustedScriptURL from a TrustedScriptURL by adding query parameters or changing the hash.

That seems similar to the consequences of <base href>

@koto koto added the polyfill label Jul 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.