[whatwg] Registering protocol handlers from Christian Biesinger on 2006-04-13 (public-whatwg-archive@w3.org from April 2006)

From: Christian Biesinger <cbiesinger@web.de>
Date: Thu, 13 Apr 2006 23:48:46 +0200
Message-ID: <443EC73E.7090609@web.de>

Hi,

so, the latest WhatWG spec has a way to register protocol handlers:
http://whatwg.org/specs/web-apps/current-work/#browser

Its specification seems to have some issues:
- The mimeType argument description says "If mimeType values passed to 
this method include characters such as commas or whitespace"

It seems to me that using "such as" in a normative part of the 
specification is a rather bad idea. This also doesn't define what to do 
with syntactically malformed types (throw an exception or do nothing?).

(Are schemes ever syntactically invalid as far as this method is 
concerned, and should an exception be thrown if they are?)

- The spec doesn't say what should happen if multiple pages try to 
register a handler, but maybe that's intentional (should it say that 
this is outside the scope of the spec?)

- The character set that should be used before escaping the URI is not 
defined. I assume it's UTF-8 (for all parts of the URI, including the 
query)?

- Which characters should be escaped? The example that's later given 
seems to imply "everything that's not an ASCII alphanumeric character". 
Is that the right interpretation?

- What should happen with a syntactically malformed URI? Exception or 
silently do nothing?

- The section "4.10.2.1. Security and privacy concerns [...]" has an 
informative-sounding heading but does in fact seem to have normative 
statements like "User agents must never send username or password 
information in the URIs that are escaped and included sent to the 
handler sites."

- It also doesn't define what exactly the registered handlers should be 
applied to (just link clicks/loads initiated from URL bar and similar), 
or also embedded content, but this seems to be intentional?

But maybe all that doesn't matter so much, given:
"User agents may do whatever they like when the methods are called."
"This section does not define how the pages registered by these methods 
are used."
???

Is this feature a serious part of the spec? Why bother specifying the 
above when UAs can ignore it or parts of it anyway? With this amount of 
undefined behaviour, there doesn't seem to be any hope for interoperability.

-biesi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4762 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20060413/8a3ff2b2/attachment.bin>

Received on Thursday, 13 April 2006 14:48:46 UTC