New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A blacklist (not a whitelist) should define whether URL schemes are available for registration #12

Closed
Mithgol opened this Issue Oct 25, 2011 · 3 comments

Comments

Projects
None yet
3 participants
@Mithgol

Mithgol commented Oct 25, 2011

Problem

The current spec says:

If the registerProtocolHandler() method is invoked with a scheme that is neither a whitelisted scheme nor a scheme whose value starts with the substring "web+" and otherwise contains only characters in the range U+0061 LATIN SMALL LETTER A to U+007A LATIN SMALL LETTER Z, the user agent must throw a SecurityError exception.

The following schemes are the whitelisted schemes:

  • irc
  • mailto
  • mms
  • news
  • nntp
  • sms
  • smsto
  • tel
  • urn
  • webcal

This list can be changed. If there are schemes that should be added, please send feedback.

Whitelisted, huh?

This is terrifying.

In Wikipedia there is a list of — how many? — over a hundred official and unofficial schemes.

And that's precisely because none of them had to be standartized before use.

Example

Now imagine that you have an idea of some Web application with a brand new URL scheme — such as pay-to-github:username?amount (compare it with the existing skype:username?sendfile).

Unfortunately, you cannot start seriously coding your application (as a Web application) for the next ten years, because your scheme has to make its way to the WhatWG whitelist and only then (according to the spec) to the separate whitelists inside of several browser versions. (IE6 is ten years old and still in use. Guess when some IE11, which does not support your scheme currently, will grow old enough to die?…)

Well, you may implement your URI scheme instantly — but only in standalone applications for the required platforms. Not for the wide cross-platform Web. At least not for the next ten years.

Solution

A blacklist of dangerous schemes (schemes to be never redefined by Web applications) should be enough to ensure security. Otherwise the innovation would suffer.

@KrzysiekJ

This comment has been minimized.

KrzysiekJ commented Mar 8, 2015

@Mithgol

This comment has been minimized.

Mithgol commented Mar 11, 2015

Thanks.

@leobalter

This comment has been minimized.

Collaborator

leobalter commented Apr 22, 2016

The discussion on this seems stalled for more than a year. Let's re-open this when we have any updates.

@leobalter leobalter closed this Apr 22, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment