Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
don't restrict the urls that are handled #12
Conversation
niemeyer
commented
Aug 9, 2016
|
Per online conversation, let's please not drop these constraints. We'd be vouching for URL schemes we have no idea about, which consequently means giving access to the confinement space for actions we also have no idea about. It's definitely okay to expand the list, but let's do that with care, ensuring the typical implementations of those handlers are safe and do not leak or damage data. |
niemeyer
closed this
Aug 9, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
seb128 commentedAug 8, 2016
The whitelist is probably there for a reason but there is no comment explaining it and unsure where/when it was discussed, let's suggest removing it and trust the system handlers...
Is there any concern security wise with handler an url to a software which claims handling those?
We could also update the whitelist to include known standard urls like apt/ftp/ssh but the specification allows specific url type to be define so you could have a new "youtube" type and have player handling it, we probably don't want to get in the way of software being able to do that though?