HTML5 proposes introduction of new family of URI schemes from Noah Mendelsohn on 2012-01-14 (www-tag@w3.org from January 2012)

From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: Sat, 14 Jan 2012 12:36:25 -0500
To: "www-tag@w3.org" <www-tag@w3.org>
CC: Julian Reschke <julian.reschke@gmx.de>, Paul Cotton <Paul.Cotton@microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sam Ruby <rubys@intertwingly.net>
Message-ID: <4F11BD19.1090503@arcanedomain.com>

The attached note from Julian relates to HTTP working group issue 189 [1]. 
Specifically, that issue raises concerns about the inclusion in the HTML5 
drafts [2] of a proposed naming pattern for "web+xxxx" URI schemes. The 
explanation in the specification is "The scheme is expected to be used in 
the context of Web applications."  The security considerations section give 
the additional information that "Any Web page is able to register a handler 
for all "web+" schemes. As such, these schemes must not be used for 
features intended to be core platform features (e.g. network transfer 
protocols like HTTP or FTP). Similarly, such schemes must not store 
confidential information in their URLs, such as usernames, passwords, 
personal information, or confidential project names."

The Architecture of the World Wide Web offers the following advice 
regarding creation of new URI schemes [3]:

"While Web architecture allows the definition of new schemes, introducing a 
new scheme is costly. Many aspects of URI processing are scheme-dependent, 
and a large amount of deployed software already processes URIs of 
well-known schemes. Introducing a new URI scheme requires the development 
and deployment not only of client software to handle the scheme, but also 
of ancillary agents such as gateways, proxies, and caches. See [RFC2718] 
for other considerations and costs related to URI scheme design.

"Because of these costs, if a URI scheme exists that meets the needs of an 
application, designers should use it rather than invent one."

In general, the TAG has in the past promoted the use of existing schemes, 
especially http and https, in preference to the registration of new ones.

So, I'm wondering whether TAG members would like for me to schedule a TAG 
telcon session on the web+xxx scheme proposal? If so, it would be very 
helpful if at least one TAG member would volunteer to do some advance work 
to help us understand what the use cases are for the new family of schemes, 
and what the state of debate is on HTML WG issue 189.

Thank you.

Noah



[1] https://www.w3.org/html/wg/tracker/issues/189
[2] http://dev.w3.org/html5/spec/Overview.html#web-scheme-prefix
[3] http://www.w3.org/TR/webarch/#URI-scheme

-------- Original Message --------
Subject: HTML5 and URI scheme *name* prefixes
Resent-Date: Sat, 14 Jan 2012 13:18:06 +0000
Resent-From: public-iri@w3.org
Date: Sat, 14 Jan 2012 14:16:42 +0100
From: Julian Reschke <julian.reschke@gmx.de>
To: PUBLIC-IRI@W3.ORG <PUBLIC-IRI@w3.org>

Hi there,

ref: <https://www.w3.org/html/wg/tracker/issues/189>

HTML5 introduces a naming convention for URI scheme *names*; see
<http://dev.w3.org/html5/spec/Overview.html#web-scheme-prefix>:

> 12.6 web+ scheme prefix
>
> This section describes a convention for use with the IANA URI scheme registry. It does not itself register a specific scheme. [RFC4395]
>
> URI scheme name
>     Schemes starting with the four characters "web+" followed by one or more letters in the range a-z.
> Status
>     permanent
> URI scheme syntax
>     Scheme-specific.
> URI scheme semantics
>     Scheme-specific.
> Encoding considerations
>     All "web+" schemes should use UTF-8 encodings were relevant.
> Applications/protocols that use this URI scheme name
>     Scheme-specific.
> Interoperability considerations
>     The scheme is expected to be used in the context of Web applications.
> Security considerations
>     Any Web page is able to register a handler for all "web+" schemes. As such, these schemes must not be used for features intended to be core platform features (e.g. network transfer protocols like HTTP or FTP). Similarly, such schemes must not store confidential information in their URLs, such as usernames, passwords, personal information, or confidential project names.
> Contact
>     Ian Hickson <ian@hixie.ch>
> Author/Change controller
>     Ian Hickson <ian@hixie.ch>
> References
>     W3C

I'm in the process of writing a Change Proposal asking for a removal of
this feature. In the meantime, it would be useful if the WG came up with
"official" feedback on overloading the scheme name.

Best regards, Julian

Received on Saturday, 14 January 2012 17:37:23 UTC