Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A blacklist (not a whitelist) should define whether URL schemes are available for registration #12

Mithgol opened this issue Oct 25, 2011 · 3 comments


Copy link

@Mithgol Mithgol commented Oct 25, 2011


The current spec says:

If the registerProtocolHandler() method is invoked with a scheme that is neither a whitelisted scheme nor a scheme whose value starts with the substring "web+" and otherwise contains only characters in the range U+0061 LATIN SMALL LETTER A to U+007A LATIN SMALL LETTER Z, the user agent must throw a SecurityError exception.

The following schemes are the whitelisted schemes:

  • irc
  • mailto
  • mms
  • news
  • nntp
  • sms
  • smsto
  • tel
  • urn
  • webcal

This list can be changed. If there are schemes that should be added, please send feedback.

Whitelisted, huh?

This is terrifying.

In Wikipedia there is a list of — how many? — over a hundred official and unofficial schemes.

And that's precisely because none of them had to be standartized before use.


Now imagine that you have an idea of some Web application with a brand new URL scheme — such as pay-to-github:username?amount (compare it with the existing skype:username?sendfile).

Unfortunately, you cannot start seriously coding your application (as a Web application) for the next ten years, because your scheme has to make its way to the WhatWG whitelist and only then (according to the spec) to the separate whitelists inside of several browser versions. (IE6 is ten years old and still in use. Guess when some IE11, which does not support your scheme currently, will grow old enough to die?…)

Well, you may implement your URI scheme instantly — but only in standalone applications for the required platforms. Not for the wide cross-platform Web. At least not for the next ten years.


A blacklist of dangerous schemes (schemes to be never redefined by Web applications) should be enough to ensure security. Otherwise the innovation would suffer.

Copy link

@KrzysiekJ KrzysiekJ commented Mar 8, 2015

Copy link

@Mithgol Mithgol commented Mar 11, 2015


Copy link

@leobalter leobalter commented Apr 22, 2016

The discussion on this seems stalled for more than a year. Let's re-open this when we have any updates.

@leobalter leobalter closed this Apr 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants