- From: Marcos Cáceres <notifications@github.com>
- Date: Mon, 26 Apr 2021 21:24:42 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/pull/972/review/645369950@github.com>
@marcoscaceres requested changes on this pull request.
This is a good start, but it needs a lot tighter integration with registerProtocolHandler on the security side - they should both use the same underlying model, and I'm not getting a sense this does. The URL replacement parts are also quite scary - all this should go through HTML's "normalize protocol handler parameters". The examples already show how this would be open to abuse (e.g., using random protocols shouldn't work - as that open up a significant attack avenue).
> + </p>
+ <p class="note">
+ Protocol handlers could, for instance, be used for web app
+ communication where one app directly invokes another and passes data
+ via custom protocol links.
+ </p>
+ <p>
+ How protocol handlers are presented, and how many of them are shown
+ to the user, is at the discretion of the user agent and/or operating
+ system.
+ </p>
+ <p>
+ The steps for <dfn>processing the <code>protocol_handlers</code>
+ member</dfn> are given by the following algorithm. The algorithm
+ takes a <a data-cite=
+ "WEBIDL#sequence-type">sequence</a><<a>ProtocolHandlerItem</a>>
As @kenchris states below, you can use a list here too (i.e., no WebIDL things please).
> + "manifest">protocol_handlers</dfn></code> member is an <a>array</a>
+ of <a>ProtocolHandlerItem</a>s that allows a web application to
+ handle URL protocols.
+ </p>
+ <p class="note">
+ Protocol handlers could, for instance, be used for web app
+ communication where one app directly invokes another and passes data
+ via custom protocol links.
+ </p>
+ <p>
+ How protocol handlers are presented, and how many of them are shown
+ to the user, is at the discretion of the user agent and/or operating
+ system.
+ </p>
+ <p>
+ The steps for <dfn>processing the <code>protocol_handlers</code>
```suggestion
The steps for <dfn>processing the `protocol_handlers`
```
> + Protocol handlers could, for instance, be used for web app
+ communication where one app directly invokes another and passes data
+ via custom protocol links.
+ </p>
+ <p>
+ How protocol handlers are presented, and how many of them are shown
+ to the user, is at the discretion of the user agent and/or operating
+ system.
+ </p>
+ <p>
+ The steps for <dfn>processing the <code>protocol_handlers</code>
+ member</dfn> are given by the following algorithm. The algorithm
+ takes a <a data-cite=
+ "WEBIDL#sequence-type">sequence</a><<a>ProtocolHandlerItem</a>>
+ <var>protocol_handlers</var> and a <a>URL</a> <var>manifest
+ URL</var>. This algorithm returns a <a data-cite=
If you can avoid returning anything, all the better... see how the other processing steps are done.
> + The steps for <dfn>processing the <code>protocol_handlers</code>
+ member</dfn> are given by the following algorithm. The algorithm
+ takes a <a data-cite=
+ "WEBIDL#sequence-type">sequence</a><<a>ProtocolHandlerItem</a>>
+ <var>protocol_handlers</var> and a <a>URL</a> <var>manifest
+ URL</var>. This algorithm returns a <a data-cite=
+ "WEBIDL#sequence-type">sequence</a><<a>ProtocolHandlerItem</a>>.
+ </p>
+ <ol>
+ <li>Let <var>processedProtocolHandlers</var> be a new Array object
+ created as if by the expression [].
+ </li>
+ <li><a href="https://infra.spec.whatwg.org/#list-iterate">For each</a> <var>protocol_handler</var> (<a>ProtocolHandlerItem</a>)
+ in the sequence:
+ <ol>
+ <li>If <var>protocol_handler</var>["protocol"] or
ProTip... though just a nit:
```suggestion
<li>If |protocol_handler|["protocol"] or
```
You can do the same for other `<var>` things
> + member</dfn> are given by the following algorithm. The algorithm
+ takes a <a data-cite=
+ "WEBIDL#sequence-type">sequence</a><<a>ProtocolHandlerItem</a>>
+ <var>protocol_handlers</var> and a <a>URL</a> <var>manifest
+ URL</var>. This algorithm returns a <a data-cite=
+ "WEBIDL#sequence-type">sequence</a><<a>ProtocolHandlerItem</a>>.
+ </p>
+ <ol>
+ <li>Let <var>processedProtocolHandlers</var> be a new Array object
+ created as if by the expression [].
+ </li>
+ <li><a href="https://infra.spec.whatwg.org/#list-iterate">For each</a> <var>protocol_handler</var> (<a>ProtocolHandlerItem</a>)
+ in the sequence:
+ <ol>
+ <li>If <var>protocol_handler</var>["protocol"] or
+ <var>protocol_handler</var>["url"] are undefined, [=iteration/continue=].
```suggestion
<var>protocol_handler</var>["url"] is undefined, [=iteration/continue=].
```
> + <li>If <var>protocol_handler</var>["protocol"] or
+ <var>protocol_handler</var>["url"] are undefined, [=iteration/continue=].
+ </li>
+ <li>Set <var>protocol_handler</var>["url"] to the result of [=URL
+ Parser|parsing=] <var>protocol_handler</var>["url"] using
+ <var>manifest URL</var> as the base URL. If the result is
+ failure, [=iteration/continue=].
+ </li>
+ <li>If <var>protocol_handler</var>["url"] is not
+ [=manifest/within scope=] of <var>manifest URL</var>, [=iteration/continue=].
+ </li>
+ <li>If <var>protocol_handler</var>["url"] already exists in <var>
+ processedProtocolHandlers</var>, [=iteration/continue=].
+ </li>
+ <li>
+ <a>Append</a> <var>protocol_handler</var> to
```suggestion
[=List/Append=] |protocol_handler| to
```
> + </li>
+ </ol>
+ <p>
+ To process the the <var>processedProtocolHandlers</var> the user
+ agent SHOULD [=register a protocol handler=] per item defined in the
+ [=sequence=].
+ </p>
+ <p>
+ A user agent SHOULD ask users for permission before registering a
+ <a>ProtocolHandlerItem</a> <var>protocol_handler</var>s as the
+ default handler for a protocol with the host operating system. A user
+ agent MAY truncate the list of <a>ProtocolHandlerItem</a>
+ <var>protocol_handlers</var> presented in order to remain consistent
+ with the conventions or limitations of the host operating system.
+ </p>
+ <div class="example">
```suggestion
<aside class="example">
```
> + </ul>
+ <pre class="example json">
+ {
+ "protocol_handlers": [
+ {
+ "protocol": "web+music",
+ "url": "/play?songId=%s"
+ },
+ {
+ "protocol": "store",
+ "url": "/buy?songId=%s"
+ }
+ ]
+ }
+ </pre>
+ </div>
```suggestion
</aside>
```
> @@ -1755,6 +1864,100 @@ <h2>
</ol>
</section>
</section>
+ <section>
+ <h2>
+ ProtocolHandler items
+ </h2>
+ <p>
+ Each <dfn>ProtocolHandlerItem</dfn> is an [=object=] that represents
We no longer use IDL , having `ProtocolHandlerItem` looks a little odd compared to other similar objects in the spec... maybe:
```suggestion
Each <dfn>protocol handler description</dfn> is an [=object=] that represents
```
Or something...
> + <li>[=`url`=]
+ </li>
+ </ul>
+ <p>
+ A user agent SHOULD use these values to register the web application as
+ a handler with the operating system. When the user activates a protocol
+ handler URL, the user agent SHOULD run <a>Handling a protocol
+ launch</a>.
+ </p>
+ <p class="note">
+ [[HTML]]'s <code>registerProtocolHandler</code> method allows web sites
+ to register themselves as possible handlers for particular protocols.
+ What constitutes valid <code>protocol</code> and <code>url</code>
+ values for <a>ProtocolHandlerItem</a>s is defined in that API. Also
+ note that the [[HTML]] API uses <a href=
+ "https://url.spec.whatwg.org/#concept-url-scheme"><code>scheme</code></a>
Please see https://respec.org/xref/?term=scheme for how to cite scheme :)
> + {
+ "protocol": "web+music",
+ "url": "/play?songId=%s"
+ },
+ {
+ "protocol": "store",
+ "url": "/buy?songId=%s"
These are not in the [safe list](https://html.spec.whatwg.org/multipage/system-state.html#safelisted-scheme) ... so this won't work.
> + <a href=
+ "https://html.spec.whatwg.org/multipage/system-state.html#security-and-privacy">
Please avoid direct links to HTML spec.... `data-cite=` here.
> + <div class="note">
+ <p>
+ The user agent MUST ask for permission when using a protocol
+ handler for the first time. This feature requires user interaction
+ and a script cannot communicate with another application on its
+ own.
+ </p>
+ </div>
Note: can't have a MUST inside a note.... either it's a normative requirement, or it's not.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/972#pullrequestreview-645369950
Received on Tuesday, 27 April 2021 04:24:55 UTC