A blacklist (not a whitelist) should define whether URL schemes are available for registration #12

Closed
Mithgol opened this Issue Oct 25, 2011 · 3 comments

Comments

Projects
None yet
3 participants

Mithgol commented Oct 25, 2011

Problem

The current spec says:

If the registerProtocolHandler() method is invoked with a scheme that is neither a whitelisted scheme nor a scheme whose value starts with the substring "web+" and otherwise contains only characters in the range U+0061 LATIN SMALL LETTER A to U+007A LATIN SMALL LETTER Z, the user agent must throw a SecurityError exception.

The following schemes are the whitelisted schemes:

  • irc
  • mailto
  • mms
  • news
  • nntp
  • sms
  • smsto
  • tel
  • urn
  • webcal

This list can be changed. If there are schemes that should be added, please send feedback.

Whitelisted, huh?

This is terrifying.

In Wikipedia there is a list of — how many? — over a hundred official and unofficial schemes.

And that's precisely because none of them had to be standartized before use.

Example

Now imagine that you have an idea of some Web application with a brand new URL scheme — such as pay-to-github:username?amount (compare it with the existing skype:username?sendfile).

Unfortunately, you cannot start seriously coding your application (as a Web application) for the next ten years, because your scheme has to make its way to the WhatWG whitelist and only then (according to the spec) to the separate whitelists inside of several browser versions. (IE6 is ten years old and still in use. Guess when some IE11, which does not support your scheme currently, will grow old enough to die?…)

Well, you may implement your URI scheme instantly — but only in standalone applications for the required platforms. Not for the wide cross-platform Web. At least not for the next ten years.

Solution

A blacklist of dangerous schemes (schemes to be never redefined by Web applications) should be enough to ensure security. Otherwise the innovation would suffer.

Mithgol commented Mar 11, 2015

Thanks.

Collaborator

leobalter commented Apr 22, 2016

The discussion on this seems stalled for more than a year. Let's re-open this when we have any updates.

leobalter closed this Apr 22, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment