New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict openWindow() to http(s) schemes? #699
Comments
What happens if you hit a redirect to a custom scheme? Or execute some JavaScript to navigate to one? |
Hey, I just noticed the about:blank spec change. Chrome currently treats all about:* URLs as "about:blank" in openWindow(). Apparently this mimics the behavior of window.open(). cc @mounirlamouri who implemented this in https://codereview.chromium.org/980383004 By the logic of issue #696, it would seem we should instead reject all about:* instead of opening about:blank. Should the spec codify that? |
Apologies for flip-flopping, but I'm no longer convinced the changes in #696 were a good idea. Sure, Making |
It seems better if they follow the same code path as much as possible, agreed. This requires some special casing though for |
F2F: Allowing |
We currently reject on
about:blank
(due to #696), but is there any benefit in allowing schemes other thanhttp
andhttps
?What would it mean to
openWindow('mailto:hello@example.com')
? etcI propose we reject on schemes other than http/https. Any objections?
The text was updated successfully, but these errors were encountered: