- From: Aaron Gustafson <notifications@github.com>
- Date: Thu, 13 May 2021 13:43:23 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/pull/972/c840822187@github.com>
> This is a good start, but it needs a lot tighter integration with registerProtocolHandler on the security side - they should both use the same underlying model, and I'm not getting a sense this does. The URL replacement parts are also quite scary - all this should go through HTML's "normalize protocol handler parameters".
@marcoscaceres In line 1070, @diekus’ proposal punts to the HTML spec for the process of registering a protocol handler (see "register a protocol handler"), which is where all of the normalization and security stuff takes place. Do you think that needs to be framed differently to make that connection more clear for implementors?
```html
<p>
To process the the <var>processedProtocolHandlers</var> the user
agent SHOULD [=register a protocol handler=] per item defined in the
[=sequence=].
</p>
```
> The examples already show how this would be open to abuse (e.g., using random protocols shouldn't work - as that open up a significant attack avenue).
Perhaps I’m misreading your concern here, but the second bullet in Example 6 specifically calls out that attempted abuse (like attempting to associate with "store") would be thrown out. Am I missing something?
```html
<li>The second protocol handler would be ignored, as the protocol
provided does not start with "web+" and is not part of the
safelist.
</li>
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/pull/972#issuecomment-840822187
Received on Thursday, 13 May 2021 20:43:36 UTC