Re: Security concersn with BASE

Vincent Tkac (
Sat, 5 Aug 95 11:35:21 EDT

Daniel W. Connolly wrote:
> In message <>, Lou Montulli writes:
> >In article <> Owen Rees <>
> >wrote:
> >> The options seem to be:
> >> 1) BASE is only for resolving relative URLs, it may be a URI for a
> >> different resource.
> >> 2) BASE must be a URI for this document
> First, (2) is phrased strangely. What does it mean for a something to
> "be a URI for a document"? A document is a sequence of characters.
> It makes more sense to say that a document is a representation of
> a resource named by a URI.
> And when some document X contains <base href="uri-x"> then yes, that's
> an assertion that document X is a representation of the resource
> identified by uri-x.

That is not necessarily what it means. Document X may not be representable
by any other URI than the one it was fetched with (in the case of a document
_created_ by a script). If this is the case then the URI in the base tag
must only effect the resolution of relative URIs (not storage in hostlist,
not realoading).

> It's also a request to cite this resource using uri-x. Now...
> should that request be honored? I think so.

Base is only a mechanism to tell the client how to resolve relative URIs.
If the author wants the client to know that the document has moved and is
available and should be accessed via another URI then that is what the author
should say (via a redirect) instead of trying to imply it with the base tag.

> >2 can not be used because it opens up serious security concerns.
> >
> >You can't get a document from one source and then inform the
> >user that it is from someplace completely different.
> How is this different from an HTTP URI: header? Yes, folks can
> lie. Unless you've got authentication, you pretty much have to trust
> folks -- and realize that you'd better not rely too heavily on
> unathenticated information.

You can get a document from one source and inform the client that all relative
URI should be resolved using the base URI in the document.

> > Since
> >users rely on the URI to tell them where the document comes from
> >this usage of BASE will lead users to believe things that are
> >not true.
> Any user who thinks that the base URI is where the document came
> from is just mistaken, if you ask me.

The document should be referenced by the URI that the document was
fetched with.

> Displaying the URL given in a <base> tag, rather than the one used to
> fetch the document will lead the user to believe that the author wants
> the document cited by that <Base> address, which is the truth, no?

Nope. At least, it shouldn't be.

Vince Tkac