W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2011

[whatwg] Blacklist for regsiterProtocolHandler()

From: timeless <timeless@gmail.com>
Date: Mon, 18 Apr 2011 23:39:37 +0300
Message-ID: <BANLkTinML5syOhxL2ftuLLHoREJwOKbgaw@mail.gmail.com>
On Tue, Apr 12, 2011 at 5:18 PM, Lachlan Hunt <lachlan.hunt at lachy.id.au> wrote:
> ?We are investigating registerProtocolHandler and have been discussing the
> need for a blacklist of protocols to forbid.
>
> Our list currently includes:
> * http:
> * https:
> * ftp:
> * file:
>
> * about:
> * data:
>
> Email specific schemes:
> * cid:
> * mid:
>
> Scripting schemes:
> * javascript:
> * vbscript:
>
> Ancient Netscape scripting schemes. some were apparently aliases for
> javascript:
> * mocha:
> * livescript:
> * livewire:
> * tcl:
>
> Also, implementers need to be take care with vendor specific schemes:
> * chrome: (Mozilla, Chrome)
> * view-source: (Mozilla, Chrome)
> * res: (IE)
> * resource: (Mozilla)
> * opera: (Opera)
> * attachment: (Opera)
> (This list is probably incomplete)
>
> We'd like to know if we've missed any important schemes that must be
> blocked, and we think it might be useful if the spec listed most of those,
> except for the vendor specific schemes, which should probably be left up to
> each vendor to worry about.

possibly "mthml:" (Windows)

I should go fish for a list sometime. Poke me in two weeks?
Received on Monday, 18 April 2011 13:39:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:03 GMT