Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding FTP related protocols to the registerProtocolHandler safelist. #513

Closed
asankah opened this issue Apr 15, 2021 · 4 comments
Closed

Adding FTP related protocols to the registerProtocolHandler safelist. #513

asankah opened this issue Apr 15, 2021 · 4 comments
Labels
position: positive venue: WHATWG Specifications in a WHATWG Workstream

Comments

@asankah
Copy link

asankah commented Apr 15, 2021

Request for Mozilla Position on an Emerging Web Specification

Other information

TL;DR: We'd like to add ftp, ftps, sftp to the safelist of protocols for which sites can register themselves as handlers.

Spec PR: whatwg/html#6584
@annevk
Copy link
Contributor

annevk commented Apr 16, 2021
edited
Loading

This seems fine (i.e., worth prototyping). @valenting thoughts?

@annevk annevk added the venue: WHATWG Specifications in a WHATWG Workstream label Apr 16, 2021
@valenting
Copy link

I've been wondering if we need to pay special attention to any credentials included in the FTP URL and if that has any influence on whether it's OK to pass them to a protocol handler.
But otherwise it seems OK to me.

@asankah
Copy link
Author

asankah commented Apr 16, 2021

@valenting Good point. My reading of https://html.spec.whatwg.org/multipage/system-state.html#security-and-privacy, specifically the Leaking Private Data and Leaking Credentials paragraphs is that embedded credentials would need to be stripped prior to redirection. While the UA can't do this for any custom scheme, we could do this for ftp/ftps/sftp.

I can make it a part of the WPTs.

WDYT?

@valenting
Copy link

While the UA can't do this for any custom scheme, we could do this for ftp/ftps/sftp.

Sounds good! Thanks!

@asankah asankah mentioned this issue May 21, 2021
Merged
3 tasks
@annevk annevk mentioned this issue Jan 12, 2022
Closed
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Jan 21, 2022
@valenting
Bug 1705202 - Strip user & password from FTP schemes when going throu…
0c8d39e 
…gh webhandler r=Gijs

According to mozilla/standards-positions#513
the safe thing to do for FTP URLs when using a protocol handler is to strip
the credentials from them first.

This also adds a test that makes sure credentials are stripped when using
a web protocol handler.

Differential Revision: https://phabricator.services.mozilla.com/D136597
jamienicol pushed a commit to jamienicol/gecko that referenced this issue Jan 26, 2022
@valenting
Bug 1705202 - Strip user & password from FTP schemes when going throu…
713a6e5 
…gh webhandler r=Gijs

According to mozilla/standards-positions#513
the safe thing to do for FTP URLs when using a protocol handler is to strip
the credentials from them first.

This also adds a test that makes sure credentials are stripped when using
a web protocol handler.

Differential Revision: https://phabricator.services.mozilla.com/D136597
@annevk annevk closed this as completed May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
position: positive venue: WHATWG Specifications in a WHATWG Workstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@asankah @valenting @annevk