W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2009

[whatwg] AppCache online whitelist wildcard bypasses restriction on scheme

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 14 Aug 2009 00:29:08 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0908140016440.6420@hixie.dreamhostps.com>
On Wed, 5 Aug 2009, Jenn Braithwaite (?~C??~E??~K~R) wrote:
> In the AppCache section of the HTML5 spec, the new wildcard value '*' 
> for the online whitelist section allows one to 'whitelist all' 
> regardless of scheme. However, the spec requires a URL in the online 
> whitelist section to have the same scheme as the manifest URL.  Seems 
> like the new wildcard feature has created a mismatch in whether the 
> scheme should be restricted.
> Should the scheme restriction be consistent regardless of wildcard value 
> vs explicitly listed URL?

I've changed the model to so that any resourcs that aren't in the same 
scheme are automatically in the online whitelist, whether "*" is specified 
or not.

I think the scheme restrictions were always intended to work this way 
(i.e. always intended as a way to make it impossible to cache mailto: 
URIs, and things like that, and always intended to not block cross-scheme 
networking), but it seems it was only half-baked before.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 13 August 2009 17:29:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:15 UTC