- From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
- Date: Tue, 19 Apr 2011 20:11:44 +0200
On 2011-04-19 19:33, Ian Hickson wrote: > On Tue, 12 Apr 2011, Lachlan Hunt wrote: >> >> We are investigating registerProtocolHandler and have been discussing >> the need for a blacklist of protocols to forbid. >> >> [...] >> >> We'd like to know if we've missed any important schemes that must be >> blocked, and we think it might be useful if the spec listed most of >> those, except for the vendor specific schemes, which should probably be >> left up to each vendor to worry about. > > I haven't updated the spec yet, but it strikes me that maybe what we > should do instead is have a whitelist of protocols we definitely want to > allow (e.g. mailto:), and define a common prefix for protocols that are > used with this feature, in a similar way to how with XHR we've added Sec-* > as a list of headers _not_ to support. Other protocols we should probably also whitelist: irc, sms, smsto, tel. I'm also curious how we could handle ISBN URNs, like: urn:isbn:0-395-36341-1 That would be useful to have a web service that could look up the ISBN and direct users to information about the book, or to an online store. As currently specified, services have to register a handler for "urn", even if they only handle ISBN URNs. The other alternative would be to mint a new web+isbn scheme, which seems suboptimal. > So e.g. we could whitelist any protocol starting with "web+" and then > register that as a common extension point for people inventing protocols > for use with this feature, so that people writing OS-native apps would > know that if they used a protocol with that prefix it's something that any > web site could try to take over. That seems reasonable. -- Lachlan Hunt - Opera Software http://lachy.id.au/ http://www.opera.com/
Received on Tuesday, 19 April 2011 11:11:44 UTC