Re: HTML5 proposes introduction of new family of URI schemes

On 2012/01/20 19:30, Julian Reschke wrote:
> On 2012-01-20 10:50, "Martin J. Dürst" wrote:

>> I think I tried to explain this to you, but the intent is NOT to have
>> new schemas with web+ in parallel to already existing ones. The intent
>> is just to identify the fact that a *totally new* scheme can be used in
>> Web applications with a web+ prefix. For existing schemas, the current
>> whitelist is supposed to cover those that are suitable for use with Web
>> applications. So this point is largely moot.
>
> Not really, unless it's easy to change the whitelist (and their
> implementation).

I agree that a weekness of the current spec (both for the whitelist and 
the web+ prefix) is that schemes can't move from one category to the 
other easily. Alternatives such as a flag in the scheme registry would 
be different in this respect.


>> Using a web+ scheme does *NOT* mean that these schemes are intended for
>> exclusive use with Web applications. That would indeed be a bad idea.
>> The web+ is just a sign that tells the Web browser that if a Web page
>> asks the Web browser to be the responsible "handler" page for that
>> scheme, the Web browser is allowed to ask the user. The same applies for
>> schemes on the whitelist.
>
> Is it "allowed" to asked, or "required"?

Well, the spec says what to do when the API is called, and if you don't, 
you're not conforming, so I guess in that sense, it's "required". But I 
don't think a browser maker would hesitate to add schemes to the 
blocking list if they discovered that there was a vulnerability.


> If the browser is going to ask
> anyway, why not simple allow all schemes? It's not materially different
> from any application installing a new scheme handler.

In another mail, you said that the later required admin privileges. That 
may count as an additional security check. Apparently whoever wrote the 
text in the HTML5 spec thought that it would be too risky to allow all 
schemes, and that even if some schemes were allowed, the spec better be 
very clear that the user has to be told that this is an important 
decision, not a routine click-through. I'm not exactly sure what the 
considerations behind this were, it may be some serious concern and 
"best effort", it may be just an attempt at being able to deflect 
responsibility from the spec and the browser makers, or something else.y

Regards,    Martin.

Received on Friday, 20 January 2012 10:47:39 UTC