W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2011

[whatwg] Disallowing dots in the protocol argument of registerProtocolHandler()

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Thu, 21 Apr 2011 15:16:03 -0400
Message-ID: <BANLkTinDapJ+cGQJV_pfC0wcGPg=N_bh2g@mail.gmail.com>
On Tue, Apr 19, 2011 at 9:51 AM, Wilhelm Joys Andersen
<wilhelmja at opera.com> wrote:
> . . .
> After running the lines of script above, typing any of the
> following URLs will lead the user to evilsite.tld:
>
> ? mail.google.com:80/mail/
> ? 192.168.1.1:80
> . . .
> To save ourselves (and our users) from possible future headaches,
> we have decided to disallow the use of dots in the protocol argument
> of registerProtocolHandler().

It was pointed out on IRC
<http://krijnhoetmer.nl/irc-logs/whatwg/20110415#l-734> that it would
make sense to also ban the string "localhost", as the only common
domain name that contains no dots.
Received on Thursday, 21 April 2011 12:16:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:03 GMT