Re: web+ and registerProtocolHandler from Alexey Melnikov on 2012-09-15 (public-ietf-w3c@w3.org from September 2012)

From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Sat, 15 Sep 2012 13:53:26 +0100
To: Adam Barth <w3c@adambarth.com>
CC: Larry Masinter <masinter@adobe.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Peter Saint-Andre <stpeter@stpeter.im>, "michel@suignard.com" <michel@suignard.com>, "tony@att.com" <tony@att.com>, "plh@w3.org" <plh@w3.org>, "adil@diwan.com" <adil@diwan.com>, "robin@berjon.com" <robin@berjon.com>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, John O'Conner <jooconne@adobe.com>, "presnick@qualcomm.com" <presnick@qualcomm.com>, "chris@lookout.net" <chris@lookout.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
Message-ID: <50547A46.4070904@isode.com>

Hi Adam,

On 14/09/2012 20:44, Adam Barth wrote:
> Yes.  Registering URI schemes is too hard.  If it were easier, we'd
> register a bunch of URI schemes that we use in Chrome.
Have you or one of your co-workers tried to register and got a rejection 
from the Expert Reviewer? Have you tried a Permanent or a Provisional 
registration?
> Adam
>
>
> On Fri, Sep 14, 2012 at 12:20 PM, Larry Masinter <masinter@adobe.com> wrote:
>> I think we should be more careful with terminology.
>> "Whitelist" -- all values are forbidden except ones explicitly in a (fininte, enumerated) "white list", so a whitelist allows a small subset, and disallows everything in an arbitrarily large set.
>> "blacklist" -- all values are allowed except ones explicitly in a (finite, enumerated) "black list", so a blacklist disallows a small subset, and allows everything else in an arbitrarily large set.
>>
>> The pros and cons of the two approaches have to do with what is deployed and what is known to be deployed and has been evaluated as "safe to override",
>>   as well as what we imagine might be useful to allow.
>>
>> The "web+" convention is hybrid, it's not a "blacklist" and it's not really a "whitelist" either. While it's like a whitelist explicitly allows one small, enumerated, known-in-advance set (which seems pretty arbitrary and without justification), but it also allows another arbitrarily large set.
>>
>> The notion is that anything using "web+" should be, by definition, safe to override with registerProtocolHandler.
>>
>> Part of the question is whether anyone defining a web+ scheme will actually register it, or will look at the registry to determine if anyone is using it.
>> Right now, browsers (Chrome, Safari) define URI schemes and use them without any significant effort to register them. Why is there any expectation that this will change?   So the notion that the registration process can somehow enforce invariants for security reasons is suspect.
>>
>> Probably the disagreement about the the value of and venue for registration is the more important "elephant in the room".
>>
>> Larry

Received on Sunday, 16 September 2012 07:55:43 UTC