Ref T4340. We don't use "<base />" so we can safely block it.
- Maniphest Tasks
- T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
- rPd5befb1a0ea3: Block use of "<base />" in the Content Security Policy
Injected "<base />" into a page, saw an error in the console showing that the browser had blocked it.