Re: Registering the about: URI scheme

A new draft should be published very soon. Once that's up, I intend to  
discuss registration on uri-review. I've still got a few outstanding  
questions about handling unknown about URIs, whether the reference to  
HTML5 should be normative, and the appropriate origin policy for about  
URIs besides about:blank. Just minor issues.

If you'd like to see the changes so far, see

On Apr 2, 2009, at 11:15 AM, Julian Reschke wrote:

> Lachlan, Joseph,
> what's the status here? Are you planning to submit a new draft?
> And when do you plan to follow up on the uri-review mailing list?
> Best regards, Julian
> Lachlan Hunt wrote:
>> Joseph A Holsten wrote:
>>> I've posted the merged version of Lachlan and my drafts here:
>>> with inline comments and editing marks in html here:
>>> and source control here:
>> I have ACTION-103 [1] assigned to me to follow up on this, which is  
>> due this thursday.  I have reviewed the draft once again, and I  
>> think the following changes should be made:
>> 1. Remove about:internets from the list of examples.  It was  
>> mentioned
>>   earlier that this was being removed from Google Chrome due to its
>>   lack of support any any platform other than Windows XP, and I don't
>>   think it makes sense to highlight about URIs with such a limited
>>   utility.
>> 2. The wikipedia article "about: URI Scheme" is mentioned, but  
>> there is
>>   no link provided to it.  Please add a reference to it:
>> 3. The security considerations section seems incomplete.
>> It contains a quote from HTML5 about the origin and a link to the  
>> whatwg copy of the spec.  If it is going to reference HTML5, then  
>> it should reference the W3C copy, rather than the editor draft.
>> I'm unsure how the first paragraph in this section is describing a  
>> security related issue:
>>  "There is no guarantee that an application will understand any about
>>   URI provided to it. An about URI may not resolve to the expected
>>   resource. If the reference is unlikely to resolve correctly, the
>>   reference should be accompanied by an explanation or alternatives."
>> Either clarify that or remove it.
>> In the second paragrah, it states:
>>  "An application should not execute or display information in an  
>> about
>>   URI."
>> I'm not entirely sure what that's trying to say.  When it comes to  
>> executing code in a resource identified by an about: URI, perhaps  
>> it should say that they should not execute untrusted code.  Both  
>> Firefox and Opera execute scripts in their about:config pages, for  
>> example.
>>  "About URIs may identify resources which show sensitive information.
>>   This data SHOULD NOT be exposed in about URIs."
>> I'm not sure what the purpose of that statement is either.  In what  
>> way would sensitive information in a resource be exposed in a URI?
>> This is a proposed replacement for the security considerations  
>> section:
>> ---
>>  The origin and the effective script origin of a resource  
>> identified by
>>  an about URI MUST be determined as defined by HTML 5 [HTML5].
>>  The origin of the about:blank Document is set when the Document is
>>  created. If the new browsing context has a creator browsing context,
>>  then the origin of the about:blank  Document is the origin of the
>>  creator Document. Otherwise, the origin of the about:blank  Document
>>  is a globally unique identifier assigned when the new browsing  
>> context
>>  is created.
>>  About URIs should not cause the application to modify any data.
>>  Applications should not use about URIs to access, or erase files or
>>  other sensitive information.
>>  About URIs may identify resources that contain sensitive  
>> information.
>>  Applications should ensure appropriate restrictions are in place
>>  to protect such information from access or modification by untrusted
>>  sources.
>>  [HTML5]
>> ---
>> 4. In section 6, IANA Considerations, the Interoperability
>>   Considerations part says:
>>  "...Other about URIs should only be expected to work correctly  
>> within
>>   the same application."
>> That doesn't make any sense to me.  I think ti should be removed.   
>> I think the preceding sentence says enough on its own without that.
>> Once these issues are cleaned up, I think we'll be ready to go  
>> ahead and get it published and register the scheme.
>> [1]

Received on Friday, 3 April 2009 19:55:22 UTC