This work will fix inconsistencies in the current Chromium/Blink implementation of base URL for about:srcdoc and about:blank frames. The current implementation is inconsistent with the behaviors of Safari & Firefox (although those are not necessarily consistent with each other). The current implementation also exhibits a "broken" snapshotting behavior, where base URL changes in the parent/initiator frame may be visible to the child frame, but only when the child makes (and reverses) changes to its own <base> element. The work will ensure that the base URL supplied to about:srcdoc and about:blank frames is snapshotted from their initiator at the time the navigation begins. The implementation will also allow base URL to work correctly for about:srcdoc frames when those frames are in a different process from their parent. A more detailed discussion of the underlying issues involved may be found at https://github.com/whatwg/html/issues/421#issuecomment-1260360824 and https://docs.google.com/document/d/1e7T1YR5aGDg-eGHKDNnKUWcz1Dr38t_O0-XJqsMeZcE/edit?resourcekey=0-qCAYJPulnTdo9hV_dPCdhw# .
There are two primary motivations for this work: 1) We want to make Chrome's implementation of base-url inheritance both consistent and secure. Snapshotting at time the subframe navigates, and always using the initiator's base url, are how we will achieve this. 2) Implementation of process-isolated srcdoc frames means we must address the limitations and lack of correctness in our current base url inheritance implementation. Both of these motivations will lead to improved security in Chrome.