W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > September 2012

[Bug 18975] registerContentHanlder and registerProtocolHandler open huge security and privacy holes

From: <bugzilla@jessica.w3.org>
Date: Sat, 22 Sep 2012 16:09:30 +0000
Message-Id: <E1TFSGo-00088o-BB@jessica.w3.org>
To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=18975

--- Comment #1 from Larry Masinter <lmm@acm.org> 2012-09-22 16:09:30 UTC ---
Also:

The current specification attempts to mitigate some of the risks of
registerProtocolHandler by maintaining a "white list" of protocols for which
handlers are "safe" and disallowing registering all other handlers except those
starting with "web+". However, this  mechanism doesn't help with most of the
security and privacy problems that arise when allowing dynamically assigned and
overwritten handlers.

There is another bug and decision which focused on "web+" prefix and the
authority under which such schemes are registered, but this was a distraction
from the more fundamental problems. 

For example, even if registerProtocolHandler only allowed registering "mailto"
and nothing else, the risks of web sites trying to steal "mailto" from each
other, or the information leakage that the handler's site now can learn
whenever a user STARTS to type a message, even when the user abandons the
interaction, has not been disclosed or mitigated. 

For example, one mitigation might be that handlers not be URI patterns of
remote services but rather pages or content bodies or previously downloaded
Javascript libraries.

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Saturday, 22 September 2012 16:09:31 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:33 UTC