A blacklist (not a whitelist) should define whether URL schemes are available for registration #12
Description
Problem
The current spec says:
If the
registerProtocolHandler()method is invoked with a scheme that is neither a whitelisted scheme nor a scheme whose value starts with the substring "web+" and otherwise contains only characters in the range U+0061 LATIN SMALL LETTER A to U+007A LATIN SMALL LETTER Z, the user agent must throw aSecurityErrorexception.The following schemes are the whitelisted schemes:
ircmailtommsnewsnntpsmssmstotelurnwebcalThis list can be changed. If there are schemes that should be added, please send feedback.
Whitelisted, huh?
This is terrifying.
In Wikipedia there is a list of — how many? — over a hundred official and unofficial schemes.
And that's precisely because none of them had to be standartized before use.
Example
Now imagine that you have an idea of some Web application with a brand new URL scheme — such as pay-to-github:username?amount (compare it with the existing skype:username?sendfile).
Unfortunately, you cannot start seriously coding your application (as a Web application) for the next ten years, because your scheme has to make its way to the WhatWG whitelist and only then (according to the spec) to the separate whitelists inside of several browser versions. (IE6 is ten years old and still in use. Guess when some IE11, which does not support your scheme currently, will grow old enough to die?…)
Well, you may implement your URI scheme instantly — but only in standalone applications for the required platforms. Not for the wide cross-platform Web. At least not for the next ten years.
Solution
A blacklist of dangerous schemes (schemes to be never redefined by Web applications) should be enough to ensure security. Otherwise the innovation would suffer.