- From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
- Date: Tue, 03 Mar 2009 15:22:53 +0100
- To: Joseph A Holsten <joseph@josephholsten.com>
- Cc: public-html <public-html@w3.org>
Joseph A Holsten wrote:
> I've posted the merged version of Lachlan and my drafts here:
> http://josephholsten.com/about-uri-scheme/draft-holsten-about-uri-scheme.txt
>
> with inline comments and editing marks in html here:
> http://josephholsten.com/about-uri-scheme/draft-holsten-about-uri-scheme.html
>
> and source control here:
> http://github.com/josephholsten/about-uri-scheme/
I have ACTION-103 [1] assigned to me to follow up on this, which is due
this thursday. I have reviewed the draft once again, and I think the
following changes should be made:
1. Remove about:internets from the list of examples. It was mentioned
earlier that this was being removed from Google Chrome due to its
lack of support any any platform other than Windows XP, and I don't
think it makes sense to highlight about URIs with such a limited
utility.
2. The wikipedia article "about: URI Scheme" is mentioned, but there is
no link provided to it. Please add a reference to it:
http://en.wikipedia.org/wiki/About:_URI_scheme
3. The security considerations section seems incomplete.
It contains a quote from HTML5 about the origin and a link to the whatwg
copy of the spec. If it is going to reference HTML5, then it should
reference the W3C copy, rather than the editor draft.
I'm unsure how the first paragraph in this section is describing a
security related issue:
"There is no guarantee that an application will understand any about
URI provided to it. An about URI may not resolve to the expected
resource. If the reference is unlikely to resolve correctly, the
reference should be accompanied by an explanation or alternatives."
Either clarify that or remove it.
In the second paragrah, it states:
"An application should not execute or display information in an about
URI."
I'm not entirely sure what that's trying to say. When it comes to
executing code in a resource identified by an about: URI, perhaps it
should say that they should not execute untrusted code. Both Firefox
and Opera execute scripts in their about:config pages, for example.
"About URIs may identify resources which show sensitive information.
This data SHOULD NOT be exposed in about URIs."
I'm not sure what the purpose of that statement is either. In what way
would sensitive information in a resource be exposed in a URI?
This is a proposed replacement for the security considerations section:
---
The origin and the effective script origin of a resource identified by
an about URI MUST be determined as defined by HTML 5 [HTML5].
The origin of the about:blank Document is set when the Document is
created. If the new browsing context has a creator browsing context,
then the origin of the about:blank Document is the origin of the
creator Document. Otherwise, the origin of the about:blank Document
is a globally unique identifier assigned when the new browsing context
is created.
About URIs should not cause the application to modify any data.
Applications should not use about URIs to access, or erase files or
other sensitive information.
About URIs may identify resources that contain sensitive information.
Applications should ensure appropriate restrictions are in place
to protect such information from access or modification by untrusted
sources.
[HTML5] http://www.w3.org/TR/html5/
---
4. In section 6, IANA Considerations, the Interoperability
Considerations part says:
"...Other about URIs should only be expected to work correctly within
the same application."
That doesn't make any sense to me. I think ti should be removed. I
think the preceding sentence says enough on its own without that.
Once these issues are cleaned up, I think we'll be ready to go ahead and
get it published and register the scheme.
[1] http://www.w3.org/html/wg/tracker/actions/103
--
Lachlan Hunt - Opera Software
http://lachy.id.au/
http://www.opera.com/
Received on Tuesday, 3 March 2009 14:23:33 UTC