Interesting security article on relative URLs Options

[jimlongo]

The following article makes an argument against using relative URLs and how they can be manipulated by an end user.
http://www.thespanner.co.uk/2014/03/21/rpo/

[Darin McGrew]

So the short version is, if your server returns the same document for www.example.com/foo and www.example.com/foo/ then the relative URLs in the document will work for one or the other, but not both.

[jimlongo]

I haven't tested it nor am I insisting it's true yet, but since this was picked up from a tweet by a top security researcher, his conclusion that relative URLs can be leveraged in XSS attack vectors is certainly worth investigation.

I consider relative URLs harmful since you cannot rely on the browser to correctly determine the correct directory and when used with so called “pretty URLs”. Pretty much everyone who has used relative URLs will be open to this type of attack if the path information is outputted or there is some persistent data that an attacker can manipulate. I recommend absolute URLs should be used throughout a site or relative URLs that begin with a forward slash since this is the only type of relative URL that isn’t vulnerable to a RPO attack because it starts at the document root.

[Christian J]

I couldn't understand the text because the prose is so sloppy.