Understanding the base URI
<base> HTML5 tag and Content Security Policy
base-uri directive are widely misunderstood and, at best, ignored. At the same time their purpose is really simple and correct configuration adds another small brick to the defence of your website.
Firstly, the whole concept of base URI for your website only applies to relative URLs, so internal links like
/news/article1 rather than absolute links like
https://example.com/news/article1. If you only have absolute links on your website, there's no issue with base URI - but obviously it's impractical, especially for internal links.
By default and if unspecified, the base URI is identical to your website's origin. So if your website lives at
https://example.com any relative links will be built from this origin. The security problem here is that **if someone can add
<base> tag to your website - either by attacking your CMS or by XSS - all relative links will suddenly start pointing to their malicious website.
Obviously, if they can add arbitrary tags to your HTML code, they can do much more evil than just that, so the base URI attack is more practical as a workaround to bypass already existing, but insufficiently robust, controls on your website.
To prevent that, Content Security Policy has introduced a new directive
base-uri that on most websites should be set to
'none' because on most websites you won't be modifying the base URI beyond the default one.