- From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Date: Fri, 20 Jan 2012 19:46:54 +0900
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: Noah Mendelsohn <nrm@arcanedomain.com>, Robin Berjon <robin@berjon.com>, "Eric J. Bowman" <eric@bisonsystems.net>, David Booth <david@dbooth.org>, "www-tag@w3.org List" <www-tag@w3.org>, Paul Cotton <Paul.Cotton@microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sam Ruby <rubys@intertwingly.net>
On 2012/01/20 19:30, Julian Reschke wrote: > On 2012-01-20 10:50, "Martin J. Dürst" wrote: >> I think I tried to explain this to you, but the intent is NOT to have >> new schemas with web+ in parallel to already existing ones. The intent >> is just to identify the fact that a *totally new* scheme can be used in >> Web applications with a web+ prefix. For existing schemas, the current >> whitelist is supposed to cover those that are suitable for use with Web >> applications. So this point is largely moot. > > Not really, unless it's easy to change the whitelist (and their > implementation). I agree that a weekness of the current spec (both for the whitelist and the web+ prefix) is that schemes can't move from one category to the other easily. Alternatives such as a flag in the scheme registry would be different in this respect. >> Using a web+ scheme does *NOT* mean that these schemes are intended for >> exclusive use with Web applications. That would indeed be a bad idea. >> The web+ is just a sign that tells the Web browser that if a Web page >> asks the Web browser to be the responsible "handler" page for that >> scheme, the Web browser is allowed to ask the user. The same applies for >> schemes on the whitelist. > > Is it "allowed" to asked, or "required"? Well, the spec says what to do when the API is called, and if you don't, you're not conforming, so I guess in that sense, it's "required". But I don't think a browser maker would hesitate to add schemes to the blocking list if they discovered that there was a vulnerability. > If the browser is going to ask > anyway, why not simple allow all schemes? It's not materially different > from any application installing a new scheme handler. In another mail, you said that the later required admin privileges. That may count as an additional security check. Apparently whoever wrote the text in the HTML5 spec thought that it would be too risky to allow all schemes, and that even if some schemes were allowed, the spec better be very clear that the user has to be told that this is an important decision, not a routine click-through. I'm not exactly sure what the considerations behind this were, it may be some serious concern and "best effort", it may be just an attempt at being able to deflect responsibility from the spec and the browser makers, or something else.y Regards, Martin.
Received on Friday, 20 January 2012 10:47:39 UTC