Re: Classifying potentially hostile URLs

> On 17 Aug 2021, at 4:03 pm, Martin Thomson <> wrote:
> seems like a good entrypoint into a lot of this discussion.  I find that spec mind-numbingly arcane, but I'm sure that there is something at Step 21 that might help ("fetch scheme" seems like a useful concept to explore more).

Yeah, that's a great lead actually. 

"Fetch schemes" includes "https", so that rules it out - but there is a "local scheme" [1] concept that is made up of "about", "blob", and "data", which always results in a Network Error when fetched.  

Perhaps: "local schemes" + "javascript:" + "file:", plus any other scheme the UA treats as internal, could be categorized? That would at least cover the common ones giving a baseline, while providing the UA with enough leeway to block its own internal URLs (e.g. "chrome://", "moz-icon://", etc.). 


Received on Tuesday, 17 August 2021 08:34:42 UTC