- From: Robin Berjon <robin@berjon.com>
- Date: Mon, 23 Jan 2012 23:57:09 +0100
- To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Cc: "www-tag@w3.org List" <www-tag@w3.org>, Paul Cotton <Paul.Cotton@microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sam Ruby <rubys@intertwingly.net>
On Jan 20, 2012, at 11:46 , Martin J. Dürst wrote: > I agree that a weekness of the current spec (both for the whitelist and the web+ prefix) is that schemes can't move from one category to the other easily. Alternatives such as a flag in the scheme registry would be different in this respect. The problem with the approach of having a "Web safe" flag in the registry is that it only really helps if older browsers regularly fetch and parse the registry in order to discover new safe schemes — otherwise you have an upgrade-the-web problem when introducing a new protocol. But if you start automatically updating to a registry, you introduce quite an interesting attack vector. Maybe introducing new schemes isn't something that requires Web speed though, and that waiting for browser generations to pass is acceptable. >> If the browser is going to ask >> anyway, why not simple allow all schemes? It's not materially different >> from any application installing a new scheme handler. > > In another mail, you said that the later required admin privileges. That may count as an additional security check. Apparently whoever wrote the text in the HTML5 spec thought that it would be too risky to allow all schemes, and that even if some schemes were allowed, the spec better be very clear that the user has to be told that this is an important decision, not a routine click-through. I'm not exactly sure what the considerations behind this were, it may be some serious concern and "best effort", it may be just an attempt at being able to deflect responsibility from the spec and the browser makers, or something else. Adding a system-wide scheme handler doesn't seem to require admin privileges on my machine, so I wouldn't see this as a strong check. In any case it would never require admin privileges if the browser is only registering the handler for links activated inside its own containment. I believe the thinking behind not allowing all schemes is that some things are dangerous, and some things are very dangerous. It's okay (if very much imperfect already) to prompt for access to your geolocation, it's not okay to use the same prompt for unfettered access to your hard drive. By the same token, it's okay to prompt to handle your new emails and IRC connections, but it's not okay to just prompt in order to handle all the http: links you click on. -- Robin Berjon - http://berjon.com/ - @robinberjon
Received on Monday, 23 January 2012 22:57:35 UTC