A blacklist (not a whitelist) should define whether URL schemes are available for registration #12
The current spec says:
This is terrifying.
In Wikipedia there is a list of — how many? — over a hundred official and unofficial schemes.
And that's precisely because none of them had to be standartized before use.
Now imagine that you have an idea of some Web application with a brand new URL scheme — such as
Unfortunately, you cannot start seriously coding your application (as a Web application) for the next ten years, because your scheme has to make its way to the WhatWG whitelist and only then (according to the spec) to the separate whitelists inside of several browser versions. (IE6 is ten years old and still in use. Guess when some IE11, which does not support your scheme currently, will grow old enough to die?…)
Well, you may implement your URI scheme instantly — but only in standalone applications for the required platforms. Not for the wide cross-platform Web. At least not for the next ten years.
A blacklist of dangerous schemes (schemes to be never redefined by Web applications) should be enough to ensure security. Otherwise the innovation would suffer.
The text was updated successfully, but these errors were encountered: