Re: Registering the about: URI scheme from Julian Reschke on 2009-04-02 (public-html@w3.org from April 2009)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 02 Apr 2009 18:15:42 +0200
To: Lachlan Hunt <lachlan.hunt@lachy.id.au>
CC: Joseph A Holsten <joseph@josephholsten.com>, public-html <public-html@w3.org>
Message-ID: <49D4E4AE.7050908@gmx.de>
Lachlan, Joseph,

what's the status here? Are you planning to submit a new draft?

And when do you plan to follow up on the uri-review mailing list?

Best regards, Julian


Lachlan Hunt wrote:
> Joseph A Holsten wrote:
>> I've posted the merged version of Lachlan and my drafts here:
>>     
>> http://josephholsten.com/about-uri-scheme/draft-holsten-about-uri-scheme.txt 
>>
>> with inline comments and editing marks in html here:
>>     
>> http://josephholsten.com/about-uri-scheme/draft-holsten-about-uri-scheme.html 
>>
>> and source control here:
>>     http://github.com/josephholsten/about-uri-scheme/
> 
> I have ACTION-103 [1] assigned to me to follow up on this, which is due 
> this thursday.  I have reviewed the draft once again, and I think the 
> following changes should be made:
> 
> 1. Remove about:internets from the list of examples.  It was mentioned
>    earlier that this was being removed from Google Chrome due to its
>    lack of support any any platform other than Windows XP, and I don't
>    think it makes sense to highlight about URIs with such a limited
>    utility.
> 
> 
> 2. The wikipedia article "about: URI Scheme" is mentioned, but there is
>    no link provided to it.  Please add a reference to it:
> 
>    http://en.wikipedia.org/wiki/About:_URI_scheme
> 
> 
> 3. The security considerations section seems incomplete.
> 
> It contains a quote from HTML5 about the origin and a link to the whatwg 
> copy of the spec.  If it is going to reference HTML5, then it should 
> reference the W3C copy, rather than the editor draft.
> 
> I'm unsure how the first paragraph in this section is describing a 
> security related issue:
> 
>   "There is no guarantee that an application will understand any about
>    URI provided to it. An about URI may not resolve to the expected
>    resource. If the reference is unlikely to resolve correctly, the
>    reference should be accompanied by an explanation or alternatives."
> 
> Either clarify that or remove it.
> 
> In the second paragrah, it states:
> 
>   "An application should not execute or display information in an about
>    URI."
> 
> I'm not entirely sure what that's trying to say.  When it comes to 
> executing code in a resource identified by an about: URI, perhaps it 
> should say that they should not execute untrusted code.  Both Firefox 
> and Opera execute scripts in their about:config pages, for example.
> 
>   "About URIs may identify resources which show sensitive information.
>    This data SHOULD NOT be exposed in about URIs."
> 
> I'm not sure what the purpose of that statement is either.  In what way 
> would sensitive information in a resource be exposed in a URI?
> 
> 
> This is a proposed replacement for the security considerations section:
> 
> ---
> 
>   The origin and the effective script origin of a resource identified by
>   an about URI MUST be determined as defined by HTML 5 [HTML5].
> 
>   The origin of the about:blank Document is set when the Document is
>   created. If the new browsing context has a creator browsing context,
>   then the origin of the about:blank  Document is the origin of the
>   creator Document. Otherwise, the origin of the about:blank  Document
>   is a globally unique identifier assigned when the new browsing context
>   is created.
> 
>   About URIs should not cause the application to modify any data.
>   Applications should not use about URIs to access, or erase files or
>   other sensitive information.
> 
>   About URIs may identify resources that contain sensitive information.
>   Applications should ensure appropriate restrictions are in place
>   to protect such information from access or modification by untrusted
>   sources.
> 
>   [HTML5] http://www.w3.org/TR/html5/
> 
> ---
> 
> 4. In section 6, IANA Considerations, the Interoperability
>    Considerations part says:
> 
>   "...Other about URIs should only be expected to work correctly within
>    the same application."
> 
> That doesn't make any sense to me.  I think ti should be removed.  I 
> think the preceding sentence says enough on its own without that.
> 
> 
> Once these issues are cleaned up, I think we'll be ready to go ahead and 
> get it published and register the scheme.
> 
> [1] http://www.w3.org/html/wg/tracker/actions/103
>
Received on Thursday, 2 April 2009 16:16:28 UTC