Re: Registering the about: URI scheme from Joseph A Holsten on 2009-04-03 (public-html@w3.org from April 2009)

From: Joseph A Holsten <joseph@josephholsten.com>
Date: Fri, 3 Apr 2009 14:54:09 -0500
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Lachlan Hunt <lachlan.hunt@lachy.id.au>, public-html <public-html@w3.org>
Message-Id: <13F16616-0FB7-4221-90AE-9669A12AF148@josephholsten.com>
A new draft should be published very soon. Once that's up, I intend to  
discuss registration on uri-review. I've still got a few outstanding  
questions about handling unknown about URIs, whether the reference to  
HTML5 should be normative, and the appropriate origin policy for about  
URIs besides about:blank. Just minor issues.

If you'd like to see the changes so far, see http://github.com/josephholsten/about-uri-scheme/commits/master/

On Apr 2, 2009, at 11:15 AM, Julian Reschke wrote:

> Lachlan, Joseph,
>
> what's the status here? Are you planning to submit a new draft?
>
> And when do you plan to follow up on the uri-review mailing list?
>
> Best regards, Julian
>
>
> Lachlan Hunt wrote:
>> Joseph A Holsten wrote:
>>> I've posted the merged version of Lachlan and my drafts here:
>>>    http://josephholsten.com/about-uri-scheme/draft-holsten-about-uri-scheme.txt
>>> with inline comments and editing marks in html here:
>>>    http://josephholsten.com/about-uri-scheme/draft-holsten-about-uri-scheme.html
>>> and source control here:
>>>    http://github.com/josephholsten/about-uri-scheme/
>> I have ACTION-103 [1] assigned to me to follow up on this, which is  
>> due this thursday.  I have reviewed the draft once again, and I  
>> think the following changes should be made:
>> 1. Remove about:internets from the list of examples.  It was  
>> mentioned
>>   earlier that this was being removed from Google Chrome due to its
>>   lack of support any any platform other than Windows XP, and I don't
>>   think it makes sense to highlight about URIs with such a limited
>>   utility.
>> 2. The wikipedia article "about: URI Scheme" is mentioned, but  
>> there is
>>   no link provided to it.  Please add a reference to it:
>>   http://en.wikipedia.org/wiki/About:_URI_scheme
>> 3. The security considerations section seems incomplete.
>> It contains a quote from HTML5 about the origin and a link to the  
>> whatwg copy of the spec.  If it is going to reference HTML5, then  
>> it should reference the W3C copy, rather than the editor draft.
>> I'm unsure how the first paragraph in this section is describing a  
>> security related issue:
>>  "There is no guarantee that an application will understand any about
>>   URI provided to it. An about URI may not resolve to the expected
>>   resource. If the reference is unlikely to resolve correctly, the
>>   reference should be accompanied by an explanation or alternatives."
>> Either clarify that or remove it.
>> In the second paragrah, it states:
>>  "An application should not execute or display information in an  
>> about
>>   URI."
>> I'm not entirely sure what that's trying to say.  When it comes to  
>> executing code in a resource identified by an about: URI, perhaps  
>> it should say that they should not execute untrusted code.  Both  
>> Firefox and Opera execute scripts in their about:config pages, for  
>> example.
>>  "About URIs may identify resources which show sensitive information.
>>   This data SHOULD NOT be exposed in about URIs."
>> I'm not sure what the purpose of that statement is either.  In what  
>> way would sensitive information in a resource be exposed in a URI?
>> This is a proposed replacement for the security considerations  
>> section:
>> ---
>>  The origin and the effective script origin of a resource  
>> identified by
>>  an about URI MUST be determined as defined by HTML 5 [HTML5].
>>  The origin of the about:blank Document is set when the Document is
>>  created. If the new browsing context has a creator browsing context,
>>  then the origin of the about:blank  Document is the origin of the
>>  creator Document. Otherwise, the origin of the about:blank  Document
>>  is a globally unique identifier assigned when the new browsing  
>> context
>>  is created.
>>  About URIs should not cause the application to modify any data.
>>  Applications should not use about URIs to access, or erase files or
>>  other sensitive information.
>>  About URIs may identify resources that contain sensitive  
>> information.
>>  Applications should ensure appropriate restrictions are in place
>>  to protect such information from access or modification by untrusted
>>  sources.
>>  [HTML5] http://www.w3.org/TR/html5/
>> ---
>> 4. In section 6, IANA Considerations, the Interoperability
>>   Considerations part says:
>>  "...Other about URIs should only be expected to work correctly  
>> within
>>   the same application."
>> That doesn't make any sense to me.  I think ti should be removed.   
>> I think the preceding sentence says enough on its own without that.
>> Once these issues are cleaned up, I think we'll be ready to go  
>> ahead and get it published and register the scheme.
>> [1]
>
Received on Friday, 3 April 2009 19:55:22 UTC