W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2011

[whatwg] Blacklist for regsiterProtocolHandler()

From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Date: Tue, 12 Apr 2011 16:18:06 +0200
Message-ID: <4DA45F1E.6020706@lachy.id.au>
Hi,
   We are investigating registerProtocolHandler and have been discussing 
the need for a blacklist of protocols to forbid.

Our list currently includes:
* http:
* https:
* ftp:
* file:

* about:
* data:

Email specific schemes:
* cid:
* mid:

Scripting schemes:
* javascript:
* vbscript:

Ancient Netscape scripting schemes. some were apparently aliases for 
javascript:
* mocha:
* livescript:
* livewire:
* tcl:

Also, implementers need to be take care with vendor specific schemes:
* chrome: (Mozilla, Chrome)
* view-source: (Mozilla, Chrome)
* res: (IE)
* resource: (Mozilla)
* opera: (Opera)
* attachment: (Opera)
(This list is probably incomplete)

We'd like to know if we've missed any important schemes that must be 
blocked, and we think it might be useful if the spec listed most of 
those, except for the vendor specific schemes, which should probably be 
left up to each vendor to worry about.

-- 
Lachlan Hunt - Opera Software
http://lachy.id.au/
http://www.opera.com/
Received on Tuesday, 12 April 2011 07:18:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:03 GMT