W3C home > Mailing lists > Public > public-html@w3.org > March 2009

Re: Registering the about: URI scheme

From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Date: Tue, 03 Mar 2009 15:22:53 +0100
Message-ID: <49AD3D3D.5070405@lachy.id.au>
To: Joseph A Holsten <joseph@josephholsten.com>
Cc: public-html <public-html@w3.org>
Joseph A Holsten wrote:
> I've posted the merged version of Lachlan and my drafts here:
>     http://josephholsten.com/about-uri-scheme/draft-holsten-about-uri-scheme.txt 
> 
> with inline comments and editing marks in html here:
>     http://josephholsten.com/about-uri-scheme/draft-holsten-about-uri-scheme.html 
> 
> and source control here:
>     http://github.com/josephholsten/about-uri-scheme/

I have ACTION-103 [1] assigned to me to follow up on this, which is due 
this thursday.  I have reviewed the draft once again, and I think the 
following changes should be made:

1. Remove about:internets from the list of examples.  It was mentioned
    earlier that this was being removed from Google Chrome due to its
    lack of support any any platform other than Windows XP, and I don't
    think it makes sense to highlight about URIs with such a limited
    utility.


2. The wikipedia article "about: URI Scheme" is mentioned, but there is
    no link provided to it.  Please add a reference to it:

    http://en.wikipedia.org/wiki/About:_URI_scheme


3. The security considerations section seems incomplete.

It contains a quote from HTML5 about the origin and a link to the whatwg 
copy of the spec.  If it is going to reference HTML5, then it should 
reference the W3C copy, rather than the editor draft.

I'm unsure how the first paragraph in this section is describing a 
security related issue:

   "There is no guarantee that an application will understand any about
    URI provided to it. An about URI may not resolve to the expected
    resource. If the reference is unlikely to resolve correctly, the
    reference should be accompanied by an explanation or alternatives."

Either clarify that or remove it.

In the second paragrah, it states:

   "An application should not execute or display information in an about
    URI."

I'm not entirely sure what that's trying to say.  When it comes to 
executing code in a resource identified by an about: URI, perhaps it 
should say that they should not execute untrusted code.  Both Firefox 
and Opera execute scripts in their about:config pages, for example.

   "About URIs may identify resources which show sensitive information.
    This data SHOULD NOT be exposed in about URIs."

I'm not sure what the purpose of that statement is either.  In what way 
would sensitive information in a resource be exposed in a URI?


This is a proposed replacement for the security considerations section:

---

   The origin and the effective script origin of a resource identified by
   an about URI MUST be determined as defined by HTML 5 [HTML5].

   The origin of the about:blank Document is set when the Document is
   created. If the new browsing context has a creator browsing context,
   then the origin of the about:blank  Document is the origin of the
   creator Document. Otherwise, the origin of the about:blank  Document
   is a globally unique identifier assigned when the new browsing context
   is created.

   About URIs should not cause the application to modify any data.
   Applications should not use about URIs to access, or erase files or
   other sensitive information.

   About URIs may identify resources that contain sensitive information.
   Applications should ensure appropriate restrictions are in place
   to protect such information from access or modification by untrusted
   sources.

   [HTML5] http://www.w3.org/TR/html5/

---

4. In section 6, IANA Considerations, the Interoperability
    Considerations part says:

   "...Other about URIs should only be expected to work correctly within
    the same application."

That doesn't make any sense to me.  I think ti should be removed.  I 
think the preceding sentence says enough on its own without that.


Once these issues are cleaned up, I think we'll be ready to go ahead and 
get it published and register the scheme.

[1] http://www.w3.org/html/wg/tracker/actions/103

-- 
Lachlan Hunt - Opera Software
http://lachy.id.au/
http://www.opera.com/
Received on Tuesday, 3 March 2009 14:23:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:32 GMT