RE: web+: enabling websites to expose services with custom URI schemes to registerProtocolHandler. from Larry Masinter on 2012-08-23 (public-ietf-w3c@w3.org from August 2012)

From: Larry Masinter <masinter@adobe.com>
Date: Thu, 23 Aug 2012 10:06:54 -0700
To: Peter Saint-Andre <stpeter@stpeter.im>, "julian.reschke@gmx.de" <julian.reschke@gmx.de>
CC: Philippe Le Hegaret <plh@w3.org>, Barry Leiba <barryleiba@computer.org>, Mark Nottingham <mnot@mnot.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>, "Edward O'Connor" <eoconnor@apple.com>
Message-ID: <C68CB012D9182D408CED7B884F441D4D1E2DDD6026@nambxv01a.corp.adobe.com>

Maybe ask IETF websec and/or W3C webappsec to review it, if the purpose and meaning of the "web+" prefix is a security property?


-----Original Message-----
From: Peter Saint-Andre [mailto:stpeter@stpeter.im] 
Sent: Thursday, August 23, 2012 8:55 AM
To: julian.reschke@gmx.de
Cc: Larry Masinter; Philippe Le Hegaret; Barry Leiba; Mark Nottingham; public-ietf-w3c@w3.org; Edward O'Connor
Subject: Re: web+: enabling websites to expose services with custom URI schemes to registerProtocolHandler.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/22/12 2:30 AM, Julian Reschke wrote:
> On 2012-08-21 21:40, Larry Masinter wrote:
>> That and the security considerations, but I suppose that the
>> security concerns are about RegisterProtocolHandler. I don't
>> understand or see how the 'origin' sandboxing can work, since the
>> protocol handler registry is a shared global resource.
> 
> I don't think there's an attempt to sandbox here. As a matter of
> fact, I would expect the protocol handler to be registered
> *globally*, so that links would work when followed from a MUA as
> well.
> 
>> And what does the "web+" buy, anyway? It prevents "Web+mailto"
>> from stepping on "mailto", but it doesn't prevent "web+mailto" 1
>> from stepping on "web+mailto" 2.
> 
> It's not about name collisions; it's about implicit white-listing a
> set of URI scheme.

Yes, and that's part of the concern people have with it.

>> Whenever there's a naming convention, there needs to be some
>> invariant that is true for things that match, otherwise the
>> naming convention is meaningless. So what is it that you know
>> about "web+foo:" that you don't know about "foo:" ?
> 
> "If the registerProtocolHandler() method is invoked with a scheme
> that is neither a whitelisted scheme nor a scheme whose value
> starts with the substring "web+" and otherwise contains only
> characters in the range lowercase ASCII letters, the user agent
> must throw a SecurityError exception."
> 
> So by default, most current and future URI schemes can not be 
> registered, *unless* they start with "web+", *or* they are added to
> the exception list.

Correct.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


iEYEARECAAYFAlA2UloACgkQNL8k5A2w/vxfFQCfaSjZHQI9huJVLNnGZ/Vs1bpZ
pwUAoOsdHFj4gzZO5IwuKgCc5Xmm9lku
=TXiA
-----END PGP SIGNATURE-----

Received on Thursday, 23 August 2012 17:07:31 UTC