- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 19 Apr 2011 17:33:43 +0000 (UTC)
On Tue, 12 Apr 2011, Lachlan Hunt wrote: > > We are investigating registerProtocolHandler and have been discussing > the need for a blacklist of protocols to forbid. > > [...] > > We'd like to know if we've missed any important schemes that must be > blocked, and we think it might be useful if the spec listed most of > those, except for the vendor specific schemes, which should probably be > left up to each vendor to worry about. I haven't updated the spec yet, but it strikes me that maybe what we should do instead is have a whitelist of protocols we definitely want to allow (e.g. mailto:), and define a common prefix for protocols that are used with this feature, in a similar way to how with XHR we've added Sec-* as a list of headers _not_ to support. So e.g. we could whitelist any protocol starting with "web+" and then register that as a common extension point for people inventing protocols for use with this feature, so that people writing OS-native apps would know that if they used a protocol with that prefix it's something that any web site could try to take over. I'd be curious about people's opinions on that matter. (If we did this, the whitelist may have to be updated occasionally to add new protocols that people invented that we think are fine to be overridden, but that are not "web+"-prefixed.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 19 April 2011 10:33:43 UTC