If you want you can disallow its usage on your website with a Content-Security-Policy directive:
What we need to do is create a new `link` element, attach it to the window, assign the url to the link's `href` attribute, and then read that attribute back out. This process converts all relative URLs to absolute URLs, taking BASE into consideration.
Note, that you MUST add the link to the document of the correct window. Adding it to the document of an anonymous iframe will not work because while anonymous iframes inherit a lot of things from the parent, the baseURI isn't one of them.
My personal use case: my company built a system where developers could build html/css/js "apps" that semi-technical end users could deploy into their accounts. Those end users could tweak the html/css/js in limited ways and just the modified part would be deployed to a different location, but would have an injected <base> tag to point back to the developer's app so that end users could reference the original app's images and other static assets. If I were to build it again I might choose an actual templating system instead, but it would be one extra thing our users would have to learn.
As an end user who prefers using a non-graphical http client to retrieve web content to a file (then view the file in another program -- often a browser), I use this element every day.
When I know I will use a browser to view the file, I use a client that writes the base href according to the target domain to beginning of the file.
Saved me some time of waiting for credentials or slow preview from backend.
> Avanan says cybercriminals have found a simple way to bypass this security feature by using a <base> tag in the HTML header – basically splitting the malicious URL. Using this method, Safe Links only checks the base domain and ignores the rest – the link is not replaced and the user is allowed to access the phishing site.
To me, this seems more an overlook, if not a bug, of the email link protection system.
Another use class is to change all links to open in a new tab by setting only "target" on the <base>. This happens on marketing sites with a lot of third party links so the marketing department naturally wants those links to open in a new tab instead of the current tab.
However, this can create a vulnerability as the linked website now has a reference to your site through window.opener and can take the user away from your site:
Also, if ever use relative urls for assets or requests, and you deploy to different URL's (or your deployed URL path's don't map 1:1 to your filesystem paths), it can come in handy.
Angular also uses this to determine where the client side routing begins - https://angular.io/guide/deployment#base-tag .
Admittedly this is probably not the use case you're looking for.
I'm unsure if there's any utility to publishing a publicly-visible page using this tag.