Consider security implications of URI schemes

[dauwhe]

Placeholder to discuss this, as mentioned by Gertjen.

[iherman]

(See minutes of Gertjan's presentation: https://www.w3.org/publishing/groups/epub-wg/Meetings/Minutes/2022-06-03-epub)

[iherman]

The issue was discussed in a meeting on 2022-06-17

List of resolutions:

• Resolution No. 2: Recommend the user SHOULD be given notification about links and their destination as part of RS recommendations, close issue 2320.

View the transcript

2. Consider security implications of URI schemes.

See github issue epub-specs#2320.

Dave Cramer: not sure what to do here because having a mailto: link is a pretty ordinary thing.
… but the fact that these can be abused is a problem.

Ivan Herman: we might be getting into the same problem as with symlinks if we try to be precise about it.
… we found some, like file: that we definitely want to avoid, but not sure how to make a general statement about this.
… other than maybe 'be careful about which URI schemes you use'.
… for example, you don't want to open up the discussion about bitcoin here.

Matt Garrish: we made the change a few weeks back that remote resources should be referenced by HTTPS, for other URI schemes, they will probably spawn some other app (dialing app, mail client).
… not sure this is our problem to solve, feels like we are going a little far afield.
… new schemes come up all the time.

Brady Duga: i think we've already fixed this. 1. URI schemes that are used internally - resolved with banning file: and HTTPS, 2. URI scheme that goes to another app.
… you may not recognize that a link is of this 2nd type.
… but we've added a suggestion that links external to the epub trigger notification to user.

Ivan Herman: not sure that that 2nd part is in the spec yet.

Brady Duga: okay, then let's recommend a 'hey, you're leaving our secure space now' to external links.
… that would solve this problem.
… most apps are good about this. They won't automatically take an action when they open..

Dave Cramer: i think informing user and getting consent is key here, not worrying about technical details.

Matt Garrish: I don't recall this being in the spec.

Ivan Herman: yes, we discussed this in a prior meeting.

Matt Garrish: but not in the security section currently.

Ivan Herman: is this going to be a SHOULD or a MUST?.

Brady Duga: SHOULD. Preserves the ability for user consent to be subject to a global allow.

Proposed resolution: Recommend the user SHOULD be given notification about links and their destination as part of RS recommendations, close issue 2320. (Wendy Reid)

Dave Cramer: +1.

Charles LaPierre: +1.

Toshiaki Koike: +1.

Wendy Reid: +1.

Matt Garrish: +1.

Brady Duga: +1.

Matthew Chan: +1.

Aimee Ubbink: +1.

Zheng Xu (徐征): +1.

Ivan Herman: +1.

Masakazu Kitahara: +1.

Resolution #2: Recommend the user SHOULD be given notification about links and their destination as part of RS recommendations, close issue 2320.

Ivan Herman: mgarrish can you find where we want to put this?.