W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > September 2012

Re: web+ and registerProtocolHandler

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 10 Sep 2012 08:56:51 -0700
Message-ID: <CAJE5ia-XxJnXPJXudi_m8UtFi=J9iDO47XHCU6ope5MSoT985w@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Cc: "michel@suignard.com" <michel@suignard.com>, "tony@att.com" <tony@att.com>, "plh@w3.org" <plh@w3.org>, "stpeter@stpeter.im" <stpeter@stpeter.im>, "adil@diwan.com" <adil@diwan.com>, "robin@berjon.com" <robin@berjon.com>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, "John O'Conner" <jooconne@adobe.com>, "presnick@qualcomm.com" <presnick@qualcomm.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, "chris@lookout.net" <chris@lookout.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
It's just a practical issue.  Many folks have URI schemes registered
on their computers that are not safe for web sites to hijack (i.e.,
register).  It's not practical to create an blacklist that effectively
mitigates that risk.  As it happens, we not aware of any folks who
have such registrations for URI schemes that begin with "web+".

Adam


On Mon, Sep 10, 2012 at 1:01 AM, Larry Masinter <masinter@adobe.com> wrote:
> since this affects ietf and w3c, and public-ietf-w3c is publicly archived,
> could someone explain why allowing registering arbitrary web+xxx scheme
> handlers is any better than allowing arbitrary (unblacklisted) xxx scheme
> handlers?
>
>
> -----Original message-----
>
> From: Adam Barth <w3c@adambarth.com>
> To: Larry Masinter <masinter@adobe.com>
> Cc: "michel@suignard.com" <michel@suignard.com>, Tony Hansen <tony@att.com>,
> Philippe Le Hegaret <plh@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>,
> Adil Allawi <adil@diwan.com>, Robin Berjon <robin@berjon.com>, Ted Hardie
> <ted.ietf@gmail.com>, John O'Conner <jooconne@adobe.com>, Pete Resnick
> <presnick@qualcomm.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Chris
> Weber <chris@lookout.net>
> Sent: Sun, Sep 9, 2012 19:09:22 GMT+00:00
> Subject: RE: 85th IETF - Working Group/BOF/IRTF Scheduling - REMINDER
>
> We should discuss further on a publicly archived mailing list.
>
> Adam
>
> On Sep 9, 2012 12:00 PM, "Larry Masinter" <masinter@adobe.com> wrote:
>>
>> Why doesn't "web+"  introduce all the same problems a blacklist approach
>> (where everything is allowed unless explicitly disallowed) introduces?
>> That's kind of what Chris' tests are showing.
>>
>> And what's the point, anyway, of a precise specification but leaving out
>> the necessary steps to implement the spec securely?
>>
>>
>>
>> -----Original Message-----
>> From: Adam Barth [mailto:w3c@adambarth.com]
>> Sent: Sunday, September 09, 2012 10:20 AM
>> To: Chris Weber
>> Cc: Larry Masinter; "Martin J. Dürst"; Peter Saint-Andre; Philippe Le
>> Hegaret; John O'Conner; Tony Hansen; Ted Hardie; michel@suignard.com; Adil
>> Allawi; Pete Resnick; Robin Berjon
>> Subject: Re: 85th IETF - Working Group/BOF/IRTF Scheduling - REMINDER
>>
>> Folks can be unhappy with a whitelist all they want.  A blacklist
>> isn't secure and we won't implement it.
>>
>> Adam
>>
>>
>> On Sun, Sep 9, 2012 at 12:11 AM, Chris Weber <chris@lookout.net> wrote:
>> > Thanks for the message Martin and Larry.  I will not be in Atlanta
>> > unfortunately,  I'm guessing Peter will..?  I'd be happy to schedule
>> > some design meeting time for next week after the expiring drafts have
>> > been re-submitted.
>> >
>> > As far as web+xxx, I'm still afraid that a user fingerprinting and
>> > tracking risk exists - though I didn't test the
>> > isProtocolHandlerRegistered() method for exploitability because it
>> > didn't exist, I see Safari has implemented it now and Chrome and Firefox
>> > have some active bugs for tracking.
>> >
>> > Also, I notice that some developers are not happy with the whitelist vs
>> > blacklist approach: https://github.com/jquery/standards/issues/12
>> >
>> > -Chris
>> >
>> > On 9/8/2012 9:32 AM, Larry Masinter wrote:
>> >> I'm planning to go to IETF Atlanta (direct from W3C TPAC in Lyon)
>> >>
>> >> I'd like to better coordinate the IETF and W3C specs on URLs, IRIs,
>> >> etc. Doing so was my original motivation for revising these specs in the
>> >> first place.
>> >> I'd like to also see if we can make progress on "web+xxx" and (if it's
>> >> still in W3C specs) "http+aes".
>> >>
>> >> I see Chris is doing testing. Making progress on open issues was
>> >> stymied by lack of testing, so perhaps now that we have some testing
>> >> capabilities we can make more rapid progress.
>> >>
>> >> Larry
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: "Martin J. Dürst" [mailto:duerst@it.aoyama.ac.jp]
>> >> Sent: Friday, September 07, 2012 8:10 PM
>> >> To: Peter Saint-Andre; Chris Weber
>> >> Cc: Larry Masinter; Tony Hansen; Ted Hardie; michel@suignard.com; Adil
>> >> Allawi; Pete Resnick
>> >> Subject: Fwd: 85th IETF - Working Group/BOF/IRTF Scheduling - REMINDER
>> >>
>> >> Dear IRI WG chairs,   (cc. to editors and AD)
>> >>
>> >> I'm sorry I haven't been able to get to this earlier (vacations and
>> >> following catch-up). We have to decide whether to request a meeting
>> >> slot
>> >> at the upcomming 85th IETF or not.
>> >>
>> >> Like most of the previous IETFs, I will not be able to attend this one.
>> >> Who among you will be there? (my guesses are Pete 99%, Ted 98%, but
>> >> then
>> >> quickly downwards from there).
>> >>
>> >> If it looks like we have enough participants who plan to attend (which
>> >> would include AT LEAST one chair), I'll do my best to participate
>> >> remotely. If many or most of you don't plan to attend, then it makes
>> >> more sense to not schedule a meeting.
>> >>
>> >> I have co-chaired an IETF WG (LTRU) that never met, so I know it's
>> >> possible to do work even without actual meetings.
>> >>
>> >> Regards,   Martin.
>> >>
>> >> P.S.: Of our four drafts, two (Guidelines and Registration Procedures,
>> >> Comparison and Canonicalization) are currently expired and one (Bidi)
>> >> is
>> >> close to expiring. I'll resubmit Bidi and Comparison and
>> >> Canonicalization this weekend, and I hope that Tony, Ted, and Larry can
>> >> take care of Guidelines and Registration Procedures soon.
>> >>
>> >> P.P.S: I'm also looking forward to schedule some design team meetings
>> >> (or whatever we call them) to move things along.
>> >>
>> >> P.P.P.S: One of my students, Shunsuke Oshima, is working on an analysis
>> >> of bidi interactions between "separators" and "content characters" in
>> >> an
>> >> extension of the analysis that Harald Alvestrand did for IDNA. He is
>> >> making steady progress, and I hope we can sooner or later use his
>> >> results for the Bidi document.
>> >>
>> >>
>> >>
>> >> -------- Original Message --------
>> >> Subject: 85th IETF - Working Group/BOF/IRTF Scheduling - REMINDER
>> >> Date: Fri, 07 Sep 2012 12:40:50 -0700
>> >> From: IETF Agenda <agenda@ietf.org>
>> >> To: Working Group Chairs <wgchairs@ietf.org>
>> >> CC: irsg@irtf.org
>> >>
>> >> -----------------------------------------------------------------
>> >> 85th IETF - Atlanta, GA, USA
>> >> Meeting Dates: November 4-9, 2012
>> >> Host: North American Cable Industry
>> >> -----------------------------------------------------------------
>> >> IETF meetings start Monday morning and run through Friday afternoon
>> >> (13:30).
>> >>
>> >> We are accepting scheduling requests for all Working Groups and BOFs
>> >> starting today.  The milestones and deadlines for scheduling-related
>> >> activities are as follows:
>> >>
>> >> NOTE: cutoff dates are subject to change.
>> >>
>> >> - 2012-09-10 (Monday): Cutoff date for requests to schedule Working
>> >> Group meetings at UTC 24:00. To request a Working Group session, use
>> >> the
>> >> IETF Meeting Session Request Tool.
>> >> - 2012-09-24 (Monday): Cutoff date for BOF proposal requests to Area
>> >> Directors at UTC 24:00. To request a BOF, please see instructions on
>> >> Requesting a BOF.
>> >> - 2012-09-27 (Thursday): Cutoff date for Area Directors to approve BOFs
>> >> at UTC 24:00.
>> >> - 2012-10-04 (Thursday): Preliminary agenda published for comment.
>> >> - 2012-10-08 (Monday): Cutoff date for requests to reschedule Working
>> >> Group and BOF meetings UTC 24:00.
>> >> - 2012-10-08 (Monday): Working Group Chair approval for initial
>> >> document
>> >> (Version -00) submissions appreciated by UTC 24:00.
>> >> - 2012-10-12 (Friday): Final agenda to be published.
>> >> - 2012-10-24 (Wednesday): Draft Working Group agendas due by UTC 24:00,
>> >> upload using IETF Meeting Materials Management Tool.
>> >> - 2012-10-29 (Monday): Revised Working Group agendas due by UTC 24:00,
>> >> upload using IETF Meeting Materials Management Tool.
>> >> - 2012-12-07 (Friday): Proceedings submission cutoff date by UTC 24:00,
>> >> upload using IETF Meeting Materials Management Tool.
>> >> - 2012-12-26 (Wednesday): Proceedings submission corrections cutoff
>> >> date
>> >> by UTC 24:00, upload using IETF Meeting Materials Management Tool.
>> >>
>> >> Submitting Requests for Working Group and BOF Sessions
>> >>
>> >> Please submit requests to schedule your Working Group sessions using
>> >> the
>> >> "IETF Meeting Session Request Tool," a Web-based tool for submitting
>> >> all
>> >> of the information that the Secretariat requires to schedule your
>> >> sessions.
>> >>
>> >> The URL for the tool is:
>> >>
>> >> https://pub.ietf.org/sreq/
>> >>
>> >> Please send requests to schedule your BOF sessions to agenda@ietf.org.
>> >> Please include the acronym of your BOF in the subject line of the
>> >> message, and include all of the information specified in item (4) of
>> >> "Requesting Meeting Sessions at IETF Meetings" in the body.  (This
>> >> document is included below.)
>> >>
>> >> Submitting Session Agendas
>> >>
>> >> For the convenience of meeting attendees, we ask that you submit the
>> >> agendas for your Working Group sessions as early as possible.  Draft
>> >> Working Group agendas are due Wednesday, October 24, 2012 at UTC 24:00.
>> >>   Revised Working Group agendas are due no later than Monday, October
>> >> 29, 2012 at UTC 24:00.  The proposed agenda for a BOF session should be
>> >> submitted along with your request for a session.  Please be sure to
>> >> copy
>> >> your Area Director on that message.
>> >>
>> >> Please submit the agendas for your Working Group sessions using the
>> >> "IETF Meeting Materials Management Tool," a Web-based tool for making
>> >> your meeting agenda, minutes, and presentation slides available to the
>> >> community before, during, and after an IETF meeting.  If you are a BOF
>> >> chair, then you may use the tool to submit a revised agenda as well as
>> >> other materials for your BOF once the BOF has been approved.
>> >>
>> >> The URL for the tool is:
>> >>
>> >> https://pub.ietf.org/proceedings/
>> >>
>> >> Additional information about this tool is available at:
>> >>
>> >> http://www.ietf.org/instructions/meeting_materials_tool.html
>> >>
>> >> Agendas submitted via the tool will be available to the public on the
>> >> "IETF Meeting Materials" Web page as soon as they are submitted.
>> >>
>> >> The URL for the "IETF 85 Meeting Materials" Web page is:
>> >>
>> >> https://datatracker.ietf.org/meeting/85/materials.html
>> >>
>> >> If you are a Working Group chair, then you already have accounts on the
>> >> "IETF Meeting Session Request Tool" and the "IETF Meeting Materials
>> >> Management Tool."  The same User ID and password will work for both
>> >> tools.  If you are a BOF chair who is not also a Working Group chair,
>> >> then you will be given an account on the "IETF Meeting Materials
>> >> Management Tool" when your BOF has been approved.  If you require
>> >> assistance in using either tool, or wish to report a bug, then please
>> >> send a message to:
>> >> ietf-action@ietf.org.
>> >> ================================================
>> >> For your convenience, comprehensive information on requesting meeting
>> >> sessions at IETF 85 is presented below:
>> >>
>> >> 1. Requests to schedule Working Group sessions should be submitted
>> >> using
>> >> the "IETF Meeting Session Request Tool," a Web-based tool for
>> >> submitting
>> >> all of the information required by the Secretariat to schedule your
>> >> sessions.  The URL for the tool is:
>> >>
>> >> https://pub.ietf.org/sreq/
>> >>
>> >> Instructions for using the tool are available at:
>> >>
>> >> http://www.ietf.org/instructions/session_request_tool_instruction.html
>> >>
>> >> If you require an account on this tool, or assistance in using it, then
>> >> please send a message to ietf-action@ietf.org.  If you are unable to
>> >> use
>> >> the tool, then you may send your request via e-mail to agenda@ietf.org,
>> >> with a copy to the appropriate Area Director(s).
>> >>
>> >> Requests to schedule BOF sessions must be sent to agenda@ietf.org with
>> >> a
>> >> copy to the appropriate Area Director(s).
>> >>
>> >> When submitting a Working Group or BOF session request by e-mail,
>> >> please
>> >> include the Working Group or BOF acronym in the Subject line.
>> >>
>> >> 2. BOFs will NOT be scheduled unless the Area Director(s) approved the
>> >> BOF. The proponents behind a BOF need to contact a relevant Area
>> >> Director, preferably well in advance of the BOF approval deadline date.
>> >> The AD needs to have the full name of the BOF, its acronym, suggested
>> >> names of chairs, an agenda, full description of the BOF and the
>> >> information covered in item 4. Please read RFC 5434 for instructions on
>> >> how to drive a successful BOF effort. The approval depends on, for
>> >> instance, Internet-Drafts and list discussion on the suggested topic.
>> >> BOF agenda requests, if approved, will be submitted to the IETF
>> >> Secretariat by the ADs.
>> >>
>> >> 3. A Working Group may request either one or two sessions.  If your
>> >> Working Group requires more than two sessions, then your request must
>> >> be
>> >> approved by an Area Director.  Additional sessions will be assigned,
>> >> based on availability, after Monday, July 2, 2012 at 17:00 PT, the
>> >> cut-off date for requests to reschedule a session.
>> >>
>> >> 4. You MUST provide the following information before a Working Group or
>> >> BOF session will be scheduled:
>> >>
>> >>     a. Working Group or BOF full name with acronym in brackets:
>> >>
>> >>     b. AREA under which Working Group or BOF appears:
>> >>
>> >>     c. CONFLICTS you wish to avoid, please be as specific as possible:
>> >>
>> >>     d. Expected Attendance:
>> >>
>> >>     e. Special requests:
>> >>
>> >>     f. Number of sessions:
>> >>
>> >>     g. Length of session:
>> >>        - 1 hour
>> >>        - 1 1/2 hours
>> >>        - 2 hours
>> >>        - 2 1/2 hours
>> >>
>> >> For more information on scheduling Working Group and BOF sessions,
>> >> please refer to RFC 2418 (BCP 25), "IETF Working Group Guidelines and
>> >> Procedures" (http://www.ietf.org/rfc/rfc2418.txt).
>> >> ================================================
>> >> For your convenience please find here a list of the IETF Area Directors
>> >> with their e-mail addresses:
>> >>
>> >> IETF Chair
>> >> Russ Housley <housley@vigilsec.com>
>> >>
>> >> Applications Area (app)
>> >> Barry Leiba <barryleiba@computer.org>
>> >> Pete Resnick <presnick@qualcomm.com>
>> >>
>> >> Internet Area (int)
>> >> Ralph Droms <rdroms.ietf@gmail.com>
>> >> Brian Haberman <brian@innovationslab.net>
>> >>
>> >> Operations & Management Area (ops)
>> >> Ronald Bonica <rbonica@juniper.net>
>> >> Benoit Claise <bclaise@cisco.com>
>> >>
>> >> Real-time Applications and Infrastructure Area (rai)
>> >> Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>
>> >> Robert Sparks <rjsparks@nostrum.com>
>> >>
>> >> Routing Area (rtg)
>> >> Stewart Bryant <stbryant@cisco.com>
>> >> Adrian Farrel <adrian@olddog.co.uk>
>> >>
>> >> Security Area (sec)
>> >> Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> >> Sean Turner <turners@ieca.com>
>> >>
>> >> Transport Area (tsv)
>> >> Wesley Eddy <wes@mti-systems.com>
>> >> Martin Stiemerling <martin.stiemerling@neclab.eu>
>> >> ================================================
>> >> 84th IETF Meeting Attendance Number:
>> >>
>> >> Working Group - (Actual Attendance) - Number Requested
>> >> 6man - (130) - 150
>> >> 6renum - (60) - 75
>> >> abfab - (35) - 40
>> >> alto - (77)    - 100
>> >> apparea - (175) - 100
>> >> appsawg - (175) - 100
>> >> atoca - (18) - 25
>> >> avtcore - (74) - 100
>> >> avtcore 2nd session - (21) - 100
>> >> avtext - (37) - 100
>> >> behave - (53) - 80
>> >> bfcpbis - (20) - 40
>> >> bfd - (30) - 75
>> >> bmwg - (13) - 25
>> >> ccamp - (71) - 150
>> >> ccamp 2nd session - (62) - 150
>> >> cdni - (108) - 120
>> >> cdni 2nd session - (69) - 120
>> >> clue - (76) - 100
>> >> clue 2nd session - (49) - 100
>> >> conex - (47) - 100
>> >> core - (60) - 120
>> >> core 2nd session - (52) - 120
>> >> dane - (125) - 100
>> >> dhc - (76) - 75
>> >> dime - (25) - 30
>> >> dispatch - (54) - 125
>> >> dmm - (66) - 70
>> >> dnsop - (118) - 100
>> >> dsii BoF - (72) - 100
>> >> eai - (22) - 50
>> >> ecrit - (37) - 60
>> >> eman - (27) - 80
>> >> emu - (23) - 60
>> >> forces - (41)
>> >> geopriv - (34) - 50
>> >> grow - (49) - 90
>> >> homenet - (216) - 250
>> >> httpbis - (96) - 70
>> >> httpbis 2nd session - (92) - 70
>> >> hybi - (38) - 100
>> >> iccrg RG - (79) - 50
>> >> icnrg RG - (119) - 60
>> >> idr - (97) - 110
>> >> insipid - (36) - 40
>> >> intarea - (88) - 150
>> >> ipfix - (34) - 50
>> >> ipsecme - (36) - 50
>> >> IRTF Open Meeting - (195) - 200
>> >> jose - (46) - 90
>> >> karp - (52) - 100
>> >> l2vpn - (114) - 125
>> >> l3vpn - (102) - 100
>> >> l3vpn 2nd session - (41) - 100
>> >> lisp - (68) - 75
>> >> lwig - (56) - 80
>> >> manet - (41) - 50
>> >> mboned - (38) - 50
>> >> mif - (64) - 80
>> >> mile - (27) - 45
>> >> mmusic - (69) - 100
>> >> mpls - (186) - 200
>> >> mpls 2nd session - (80) - 200
>> >> mptcp - (39) - 70
>> >> multimob - (26) - 50
>> >> netconf - (49) - 40
>> >> netext - (43) - 70
>> >> netmod - (31) - 50
>> >> nfsv4 - (22) - 25
>> >> ntp - (40) - 40
>> >> nvo3 BoF - (244) - 150
>> >> oauth - (72) - 50
>> >> opsarea - (78) - 100
>> >> opsawg - (78) - 100
>> >> opsec - (64) - 100
>> >> ospf - (42) - 80
>> >> p2psip - (27) - 60
>> >> paws - (32) - 35
>> >> pce - (51) - 80
>> >> pcp - (71) - 75
>> >> pcp 2nd session - (36) - 75
>> >> pim - (30) - 50
>> >> pkix - (43) - 50
>> >> ppsp - (18) - 50
>> >> precis - (27) - 35
>> >> pwe3 - (85) - 120
>> >> radext - (21) - 25
>> >> rfcform BoF - (99) - 100
>> >> rmcat BoF - (123) - 100
>> >> rmt - (10) - 30
>> >> rtcweb - (165) - 150
>> >> rtcweb 2nd session - (141) - 150
>> >> rtgarea - (169) - 120
>> >> rtgwg - (80) - 100
>> >> saag - (120) - 125
>> >> sdnrg - (203) - 100
>> >> sidr - (64) - 120
>> >> sipcore - (49) - 70
>> >> siprec - (26) - 40
>> >> soc - (40) - 50
>> >> softwire - (67) - 100
>> >> straw - (43) - 60
>> >> sunset4 - (147) - 200
>> >> tcpm - (47) - 60
>> >> tictoc - (19) - 40
>> >> tls - (59) - 50
>> >> trill - (42) - 85
>> >> trill 2nd session - (37) - 85
>> >> tsvarea - (138) - 200
>> >> tsvwg - (38) - 75
>> >> v6ops - (146) - 300
>> >> v6ops 2nd session - (130) - 300
>> >> websec - (85) - 110
>> >> weirds BoF - (62) - 100
>> >> xmpp - (29) - 40
>> >> xrblock - (19) - 40
>> >>
Received on Monday, 10 September 2012 15:57:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 10 September 2012 15:57:57 GMT