- From: Marcos Caceres <marcos@marcosc.com>
- Date: Tue, 17 Aug 2021 18:33:26 +1000
- To: Martin Thomson <mt@mozilla.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>, Daniel Veditz <dveditz@mozilla.com>
> On 17 Aug 2021, at 4:03 pm, Martin Thomson <mt@mozilla.com> wrote:
>
> https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigate seems like a good entrypoint into a lot of this discussion. I find that spec mind-numbingly arcane, but I'm sure that there is something at Step 21 that might help ("fetch scheme" seems like a useful concept to explore more).
Yeah, that's a great lead actually.
"Fetch schemes" includes "https", so that rules it out - but there is a "local scheme" [1] concept that is made up of "about", "blob", and "data", which always results in a Network Error when fetched.
Perhaps: "local schemes" + "javascript:" + "file:", plus any other scheme the UA treats as internal, could be categorized? That would at least cover the common ones giving a baseline, while providing the UA with enough leeway to block its own internal URLs (e.g. "chrome://", "moz-icon://", etc.).
[1] https://fetch.spec.whatwg.org/#local-scheme
Received on Tuesday, 17 August 2021 08:34:42 UTC