- From: Peter Saint-Andre <stpeter@stpeter.im>
- Date: Thu, 23 Aug 2012 09:55:06 -0600
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: Larry Masinter <masinter@adobe.com>, Philippe Le Hegaret <plh@w3.org>, Barry Leiba <barryleiba@computer.org>, Mark Nottingham <mnot@mnot.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>, Edward O'Connor <eoconnor@apple.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/22/12 2:30 AM, Julian Reschke wrote: > On 2012-08-21 21:40, Larry Masinter wrote: >> That and the security considerations, but I suppose that the >> security concerns are about RegisterProtocolHandler. I don't >> understand or see how the 'origin' sandboxing can work, since the >> protocol handler registry is a shared global resource. > > I don't think there's an attempt to sandbox here. As a matter of > fact, I would expect the protocol handler to be registered > *globally*, so that links would work when followed from a MUA as > well. > >> And what does the "web+" buy, anyway? It prevents "Web+mailto" >> from stepping on "mailto", but it doesn't prevent "web+mailto" 1 >> from stepping on "web+mailto" 2. > > It's not about name collisions; it's about implicit white-listing a > set of URI scheme. Yes, and that's part of the concern people have with it. >> Whenever there's a naming convention, there needs to be some >> invariant that is true for things that match, otherwise the >> naming convention is meaningless. So what is it that you know >> about "web+foo:" that you don't know about "foo:" ? > > "If the registerProtocolHandler() method is invoked with a scheme > that is neither a whitelisted scheme nor a scheme whose value > starts with the substring "web+" and otherwise contains only > characters in the range lowercase ASCII letters, the user agent > must throw a SecurityError exception." > > So by default, most current and future URI schemes can not be > registered, *unless* they start with "web+", *or* they are added to > the exception list. Correct. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA2UloACgkQNL8k5A2w/vxfFQCfaSjZHQI9huJVLNnGZ/Vs1bpZ pwUAoOsdHFj4gzZO5IwuKgCc5Xmm9lku =TXiA -----END PGP SIGNATURE-----
Received on Thursday, 23 August 2012 15:55:35 UTC