W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > August 2012

Re: web+: enabling websites to expose services with custom URI schemes to registerProtocolHandler.

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Thu, 23 Aug 2012 09:55:06 -0600
Message-ID: <5036525A.4000505@stpeter.im>
To: Julian Reschke <julian.reschke@gmx.de>
CC: Larry Masinter <masinter@adobe.com>, Philippe Le Hegaret <plh@w3.org>, Barry Leiba <barryleiba@computer.org>, Mark Nottingham <mnot@mnot.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>, Edward O'Connor <eoconnor@apple.com> 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/22/12 2:30 AM, Julian Reschke wrote:
> On 2012-08-21 21:40, Larry Masinter wrote:
>> That and the security considerations, but I suppose that the
>> security concerns are about RegisterProtocolHandler. I don't
>> understand or see how the 'origin' sandboxing can work, since the
>> protocol handler registry is a shared global resource.
> 
> I don't think there's an attempt to sandbox here. As a matter of
> fact, I would expect the protocol handler to be registered
> *globally*, so that links would work when followed from a MUA as
> well.
> 
>> And what does the "web+" buy, anyway? It prevents "Web+mailto"
>> from stepping on "mailto", but it doesn't prevent "web+mailto" 1
>> from stepping on "web+mailto" 2.
> 
> It's not about name collisions; it's about implicit white-listing a
> set of URI scheme.

Yes, and that's part of the concern people have with it.

>> Whenever there's a naming convention, there needs to be some
>> invariant that is true for things that match, otherwise the
>> naming convention is meaningless. So what is it that you know
>> about "web+foo:" that you don't know about "foo:" ?
> 
> "If the registerProtocolHandler() method is invoked with a scheme
> that is neither a whitelisted scheme nor a scheme whose value
> starts with the substring "web+" and otherwise contains only
> characters in the range lowercase ASCII letters, the user agent
> must throw a SecurityError exception."
> 
> So by default, most current and future URI schemes can not be 
> registered, *unless* they start with "web+", *or* they are added to
> the exception list.

Correct.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA2UloACgkQNL8k5A2w/vxfFQCfaSjZHQI9huJVLNnGZ/Vs1bpZ
pwUAoOsdHFj4gzZO5IwuKgCc5Xmm9lku
=TXiA
-----END PGP SIGNATURE-----
Received on Thursday, 23 August 2012 15:55:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 August 2012 15:55:35 GMT