-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding FTP related protocols to the registerProtocolHandler safelist. #513
Comments
This seems fine (i.e., worth prototyping). @valenting thoughts? |
I've been wondering if we need to pay special attention to any credentials included in the FTP URL and if that has any influence on whether it's OK to pass them to a protocol handler. |
@valenting Good point. My reading of https://html.spec.whatwg.org/multipage/system-state.html#security-and-privacy, specifically the Leaking Private Data and Leaking Credentials paragraphs is that embedded credentials would need to be stripped prior to redirection. While the UA can't do this for any custom scheme, we could do this for I can make it a part of the WPTs. WDYT? |
Sounds good! Thanks! |
…gh webhandler r=Gijs According to mozilla/standards-positions#513 the safe thing to do for FTP URLs when using a protocol handler is to strip the credentials from them first. This also adds a test that makes sure credentials are stripped when using a web protocol handler. Differential Revision: https://phabricator.services.mozilla.com/D136597
…gh webhandler r=Gijs According to mozilla/standards-positions#513 the safe thing to do for FTP URLs when using a protocol handler is to strip the credentials from them first. This also adds a test that makes sure credentials are stripped when using a web protocol handler. Differential Revision: https://phabricator.services.mozilla.com/D136597
Request for Mozilla Position on an Emerging Web Specification
Other information
TL;DR: We'd like to add
ftp
,ftps
,sftp
to the safelist of protocols for which sites can register themselves as handlers.Spec PR: whatwg/html#6584
The text was updated successfully, but these errors were encountered: