[whatwg] AppCache online whitelist wildcard bypasses restriction on scheme

On Wed, 5 Aug 2009, Jenn Braithwaite (?~C??~E??~K~R) wrote:
> 
> In the AppCache section of the HTML5 spec, the new wildcard value '*' 
> for the online whitelist section allows one to 'whitelist all' 
> regardless of scheme. However, the spec requires a URL in the online 
> whitelist section to have the same scheme as the manifest URL.  Seems 
> like the new wildcard feature has created a mismatch in whether the 
> scheme should be restricted.
> 
> Should the scheme restriction be consistent regardless of wildcard value 
> vs explicitly listed URL?

I've changed the model to so that any resourcs that aren't in the same 
scheme are automatically in the online whitelist, whether "*" is specified 
or not.

I think the scheme restrictions were always intended to work this way 
(i.e. always intended as a way to make it impossible to cache mailto: 
URIs, and things like that, and always intended to not block cross-scheme 
networking), but it seems it was only half-baked before.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 13 August 2009 17:29:08 UTC