Re: web+ and registerProtocolHandler from Adam Barth on 2012-09-16 (public-ietf-w3c@w3.org from September 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 16 Sep 2012 08:31:48 -0700
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: Larry Masinter <masinter@adobe.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Peter Saint-Andre <stpeter@stpeter.im>, "michel@suignard.com" <michel@suignard.com>, "tony@att.com" <tony@att.com>, "plh@w3.org" <plh@w3.org>, "adil@diwan.com" <adil@diwan.com>, "robin@berjon.com" <robin@berjon.com>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, "John O'Conner" <jooconne@adobe.com>, "presnick@qualcomm.com" <presnick@qualcomm.com>, "chris@lookout.net" <chris@lookout.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
Message-ID: <CAJE5ia-yGzUoVCBH5pzBi-VY041WWqcQT-cvEh404SSwaMujsw@mail.gmail.com>

On Sat, Sep 15, 2012 at 5:53 AM, Alexey Melnikov
<alexey.melnikov@isode.com> wrote:
> On 14/09/2012 20:44, Adam Barth wrote:
>> Yes.  Registering URI schemes is too hard.  If it were easier, we'd
>> register a bunch of URI schemes that we use in Chrome.
>
> Have you or one of your co-workers tried to register and got a rejection
> from the Expert Reviewer? Have you tried a Permanent or a Provisional
> registration?

I'm not sure, but I'll give it a try this week.

Adam


>> On Fri, Sep 14, 2012 at 12:20 PM, Larry Masinter <masinter@adobe.com>
>> wrote:
>>>
>>> I think we should be more careful with terminology.
>>> "Whitelist" -- all values are forbidden except ones explicitly in a
>>> (fininte, enumerated) "white list", so a whitelist allows a small subset,
>>> and disallows everything in an arbitrarily large set.
>>> "blacklist" -- all values are allowed except ones explicitly in a
>>> (finite, enumerated) "black list", so a blacklist disallows a small subset,
>>> and allows everything else in an arbitrarily large set.
>>>
>>> The pros and cons of the two approaches have to do with what is deployed
>>> and what is known to be deployed and has been evaluated as "safe to
>>> override",
>>>   as well as what we imagine might be useful to allow.
>>>
>>> The "web+" convention is hybrid, it's not a "blacklist" and it's not
>>> really a "whitelist" either. While it's like a whitelist explicitly allows
>>> one small, enumerated, known-in-advance set (which seems pretty arbitrary
>>> and without justification), but it also allows another arbitrarily large
>>> set.
>>>
>>> The notion is that anything using "web+" should be, by definition, safe
>>> to override with registerProtocolHandler.
>>>
>>> Part of the question is whether anyone defining a web+ scheme will
>>> actually register it, or will look at the registry to determine if anyone is
>>> using it.
>>> Right now, browsers (Chrome, Safari) define URI schemes and use them
>>> without any significant effort to register them. Why is there any
>>> expectation that this will change?   So the notion that the registration
>>> process can somehow enforce invariants for security reasons is suspect.
>>>
>>> Probably the disagreement about the the value of and venue for
>>> registration is the more important "elephant in the room".
>>>
>>> Larry
>
>

Received on Sunday, 16 September 2012 15:32:49 UTC