- From: rektide <rektide@voodoowarez.com>
- Date: Thu, 9 Jun 2011 15:35:17 -0400
I just got wind of Ian Hixie's comments in reply to a thread on blacklists for registerProtocolHandler[1]. In it, he proposes a whitelist of /^web\+.[:somethingorother:]+/. First, forgive me for creating a new thread on this topic ? i would rather have replied to the thread but do not know how to find the mail headers i would need to construct that mailing ? but I do wish to register issuance with this proposal. Ian mentions 'that people writing OS-native apps would know that if they used a protocol with that prefix it's something that any web site could try to take over', but this has some issues: 1. The current use case for registerProtocolHandler is intra-page. For one example, here's the MDC docs: "Note: Web sites may only register protocol handlers for themselves. For security reasons, it's not possible for an extension or web site to register protocol handlers targeting other sites." 2. Someone who wishes to register a 'web' protocol for their own usage ought be forced to consider that this protocol may not necessarily remain in their own purview. 3. It forces syntactical cruft upon people wishing to exercise this capability, and that cruft makes website handled protocols less likely to be used, to look cheap, and to be regarded as second class citizen of the protocol world. Tim Bray has already lamented enforcing the // upon the world, and if web+ protocols take off this will exacerbate his two character mistake by another four oh-so-valuable characters. We ought not double the obvious + preventable mistakes of the past. 4. Whitelisting seems fundamentally 'anti-web' by enforcing only what is out there already. I strongly support the notion that web pages ought be able to provide their own content & protocol handlers ? especially in an OS native fashion ? and it strikes me as unweildy to place this ^web\+[:soo:]+ restriction on this extension point. Personally, I think it is very high priority to reconsider Ian's informal decree (which has since been pressed into service in WebKit[2]), and formalize concensus around this issue. Regards, & wish & asking of forgivence for not having left lurk-mode in a happier fashion-- M. "rektide" Fowle [1] http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-April/031294.html [2] http://trac.webkit.org/changeset/87459
Received on Thursday, 9 June 2011 12:35:17 UTC