Browse files

[giow] (1) registerProtocolHandler() and registerContentHandler() sec…

…urity updates

git-svn-id: http://svn.whatwg.org/webapps@6523 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
1 parent b0f1d0c commit 8a36e83be9bf2f07dc959da13567451490ae38e2 @Hixie Hixie committed Aug 23, 2011
Showing with 334 additions and 69 deletions.
  1. +107 −23 complete.html
  2. +107 −23 index
  3. +120 −23 source
View
130 complete.html
@@ -1358,7 +1358,8 @@ <h2 class="no-num no-toc" id=contents>Table of contents</h2>
<li><a href=#application/microdata+json><span class=secno>17.8 </span><code>application/microdata+json</code></a></li>
<li><a href=#application/html-peer-connection-data><span class=secno>17.9 </span><code>application/html-peer-connection-data</code></a></li>
<li><a href=#ping-from><span class=secno>17.10 </span><code>Ping-From</code></a></li>
- <li><a href=#ping-to><span class=secno>17.11 </span><code>Ping-To</code></a></ol></li>
+ <li><a href=#ping-to><span class=secno>17.11 </span><code>Ping-To</code></a></li>
+ <li><a href=#web+-scheme-prefix><span class=secno>17.12 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a class=no-num href=#index>Index</a>
<ol>
<li><a class=no-num href=#elements-1>Elements</a></li>
@@ -70485,7 +70486,11 @@ <h5 id=custom-handlers><span class=secno>7.5.1.2 </span>Custom scheme and conten
the user is not repeatedly prompted with the same request.</p>
<p>The arguments to the methods have the following meanings and
- corresponding implementation requirements:</p>
+ corresponding implementation requirements. The requirements that
+ involve throwing exceptions must be processed in the order given
+ below, stopping at the first exception raised. (So the
+ <code><a href=#security_err>SECURITY_ERR</a></code> exceptions take precedence over the
+ <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception.)</p>
<dl><dt><var title="">scheme</var> (<code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code> only)</dt>
@@ -70501,8 +70506,29 @@ <h5 id=custom-handlers><span class=secno>7.5.1.2 </span>Custom scheme and conten
(as in "<code>ftp:</code>"), will never match anything, since
schemes don't contain colons.</p>
- <p class=note>This feature is not intended to be used with
- non-standard protocols.</p>
+ <p>If the <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code>
+ method is invoked with a scheme that is neither a
+ <a href=#whitelisted-scheme>whitelisted scheme</a> nor a scheme whose value starts
+ with the substring "<code title="">web+</code>" and otherwise
+ contains only characters in the range U+0061 LATIN SMALL LETTER A
+ to U+007A LATIN SMALL LETTER Z, the user agent must raise
+ <code><a href=#security_err>SECURITY_ERR</a></code> exception.</p>
+
+ <p>The following schemes are the <dfn id=whitelisted-scheme title="whitelisted
+ scheme">whitelisted schemes</dfn>:</p>
+
+ <ul class=brief><li><code title="">irc</code></li>
+ <li><code title="">mailto</code></li>
+ <li><code title="">mms</code></li>
+ <li><code title="">news</code></li>
+ <li><code title="">nntp</code></li>
+ <li><code title="">sms</code></li>
+ <li><code title="">smsto</code></li>
+ <li><code title="">tel</code></li>
+ <li><code title="">urn</code></li>
+ <li><code title="">webcal</code></li>
+ </ul><p class=note>This list can be changed. If there are schemes
+ that should be added, please send feedback.</p>
</dd>
@@ -70529,6 +70555,31 @@ <h5 id=custom-handlers><span class=secno>7.5.1.2 </span>Custom scheme and conten
used by the user agent <em>after</em> the sniffing algorithms have
been applied.</p>
+ <p>If the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code>
+ method is invoked with a <a href=#mime-type>MIME type</a> that is in the
+ <a href=#type-blacklist>type blacklist</a> or that the user agent has deemed a
+ privileged type, the user agent must raise
+ <code><a href=#security_err>SECURITY_ERR</a></code> exception.</p>
+
+ <p>The following <a href=#mime-type title="MIME type">MIME types</a> are in
+ the <dfn id=type-blacklist>type blacklist</dfn>:</p>
+
+ <ul title=brief><li><code><a href=#text/cache-manifest>text/cache-manifest</a></code></li>
+ <li><code>text/css</code></li>
+ <li><code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
+ <li><code><a href=#text/html>text/html</a></code></li>
+ <li><code><a href=#text/ping>text/ping</a></code></li>
+ <li><code>text/plain</code></li>
+ <li><code><a href=#application/x-www-form-urlencoded>application/x-www-form-urlencoded</a></code></li>
+ <li><code>image/gif</code></li>
+ <li><code>image/jpeg</code></li>
+ <li><code>image/png</code></li>
+ <li>All <a href=#xml-mime-type title="XML MIME type">XML MIME types</a></li>
+ <li>All types that the user agent supports displaying natively in a <a href=#browsing-context>browsing context</a> during <a href=#navigate title=navigate>navigation</a></li>
+
+ </ul><p class=note>This list can be changed. If there are schemes
+ that should be added, please send feedback.</p>
+
</dd>
@@ -70557,6 +70608,14 @@ <h5 id=custom-handlers><span class=secno>7.5.1.2 </span>Custom scheme and conten
&lt;query&gt; production defined in RFC 3986 by the
percent-encoded form of that character. <a href=#refsRFC3986>[RFC3986]</a></p>
+ <p>User agents must raise a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception if
+ the <var title="">url</var> argument passed to one of these
+ methods does not contain the exact literal string
+ "<code>%s</code>", or if <a href=#resolve-a-url title="resolve a
+ url">resolving</a> the <var title="">url</var> argument with
+ the first occurrence of the string "<code title="">%s</code>"
+ removed, relative to the <a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base URL</a>, is not successful.</p>
+
<div class=example>
<p>If the user had visited a site at <code title="">http://example.com/</code> that made the following
@@ -70593,24 +70652,7 @@ <h5 id=custom-handlers><span class=secno>7.5.1.2 </span>Custom scheme and conten
</dd>
- </dl><p>User agents should raise <code><a href=#security_err>SECURITY_ERR</a></code> exceptions if
- the methods are called with <var title="">scheme</var> or <var title="">mimeType</var> values that the UA deems to be
- "privileged". For example, a site attempting to register a handler
- for <code>http</code> URLs or <code><a href=#text/html>text/html</a></code> content in a
- Web browser would likely cause an exception to be raised.</p>
-
- <p>User agents must raise a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception if the
- <var title="">url</var> argument passed to one of these methods does
- not contain the exact literal string "<code>%s</code>", or if <a href=#resolve-a-url title="resolve a url">resolving</a> the <var title="">url</var>
- argument with the first occurrence of the string "<code title="">%s</code>" removed, relative to the <a href=#entry-script>entry
- script</a>'s <a href="#script's-base-url" title="script's base URL">base URL</a>, is
- not successful.</p>
-
- <p>User agents must not raise any other exceptions (other than
- binding-specific exceptions, such as for an incorrect number of
- arguments in an JavaScript implementation).</p>
-
- <p>This section does not define how the pages registered by these
+ </dl><p>This section does not define how the pages registered by these
methods are used, beyond the requirements on how to process the <var title="">url</var> value (see above). To some extent, the <a href=#navigate title=navigate>processing model for navigating across
documents</a> defines some cases where these methods are
relevant, but in general UAs may use this information wherever they
@@ -98304,7 +98346,44 @@ <h3 id=ping-from><span class=secno>17.10 </span><dfn title=http-ping-from><code>
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><!--PING--><h2 class=no-num id=index>Index</h2>
+ </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
+
+ <p>This section describes a convention for use with the IANA URI
+ scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
+
+ <dl><dt>URI scheme name</dt>
+ <dd>
+ Schemes starting with the four characters "<code title="">web+</code>" followed by one or more letters in the range
+ <code title="">a</code>-<code title="">z</code>.
+ </dd>
+ <dt>Status</dt>
+ <dd>permanent</dd>
+ <dt>URI scheme syntax</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>URI scheme semantics</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>Encoding considerations</dt>
+ <dd>All "<code title="">web+</code>" schemes should use UTF-8 encodings were relevant.</dd>
+ <dt>Applications/protocols that use this URI scheme name</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>Interoperability considerations</dt>
+ <dd>The scheme is expected to be used in the context of Web applications.</dd>
+ <dt>Security considerations</dt>
+ <dd>
+ Any Web page is able to register a handler for all "<code title="">web+</code>" schemes. As such, these schemes must not be
+ used for features intended to be core platform features (e.g.
+ network transfer protocols like HTTP or FTP). Similarly, such
+ schemes must not store confidential information in their URLs,
+ such as usernames, passwords, personal information, or
+ confidential project names.
+ </dd>
+ <dt>Contact</dt>
+ <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
+ <dt>Author/Change controller</dt>
+ <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
+ <dt>References</dt>
+ <dd>W3C</dd>
+ </dl><h2 class=no-num id=index>Index</h2>
<div class=impl>
@@ -101734,6 +101813,9 @@ <h3 class="no-num">Reflecting IDL attributes</h3>
<dd>(Non-normative) <cite><a href=http://tools.ietf.org/html/rfc4329>Scripting Media
Types</a></cite>, B. H&ouml;hrmann. IETF.</dd>
+ <dt id=refsRFC4395>[RFC4395]</dt>
+ <dd><cite><a href=http://tools.ietf.org/html/rfc4395>Guidelines and Registration Procedures for New URI Schemes</a></cite>, T. Hansen, T. Hardie, L. Masinter. IETF.</dd>
+
<dt id=refsRFC4648>[RFC4648]</dt>
<dd><cite><a href=http://tools.ietf.org/html/rfc4648>The Base16,
Base32, and Base64 Data Encodings</a></cite>, S. Josefsson.
@@ -102187,6 +102269,7 @@ <h3 class="no-num">Reflecting IDL attributes</h3>
James Craig,
James Graham,
James Justin Harrell,
+ James Kozianski,
James M Snell,
James Perrett,
James Robinson,
@@ -102492,6 +102575,7 @@ <h3 class="no-num">Reflecting IDL attributes</h3>
Wayne Pollock,
Wellington Fernando de Macedo,
Weston Ruter,
+ Wilhelm Joys Andersen,
Will Levine,
William Swanson,
Wladimir Palant,
View
130 index
@@ -1271,7 +1271,8 @@
<li><a href=#application/microdata+json><span class=secno>15.8 </span><code>application/microdata+json</code></a></li>
<li><a href=#application/html-peer-connection-data><span class=secno>15.9 </span><code>application/html-peer-connection-data</code></a></li>
<li><a href=#ping-from><span class=secno>15.10 </span><code>Ping-From</code></a></li>
- <li><a href=#ping-to><span class=secno>15.11 </span><code>Ping-To</code></a></ol></li>
+ <li><a href=#ping-to><span class=secno>15.11 </span><code>Ping-To</code></a></li>
+ <li><a href=#web+-scheme-prefix><span class=secno>15.12 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a class=no-num href=#index>Index</a>
<ol>
<li><a class=no-num href=#elements-1>Elements</a></li>
@@ -70375,7 +70376,11 @@ interface <dfn id=navigatorcontentutils>NavigatorContentUtils</dfn> {
the user is not repeatedly prompted with the same request.</p>
<p>The arguments to the methods have the following meanings and
- corresponding implementation requirements:</p>
+ corresponding implementation requirements. The requirements that
+ involve throwing exceptions must be processed in the order given
+ below, stopping at the first exception raised. (So the
+ <code><a href=#security_err>SECURITY_ERR</a></code> exceptions take precedence over the
+ <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception.)</p>
<dl><dt><var title="">scheme</var> (<code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code> only)</dt>
@@ -70391,8 +70396,29 @@ interface <dfn id=navigatorcontentutils>NavigatorContentUtils</dfn> {
(as in "<code>ftp:</code>"), will never match anything, since
schemes don't contain colons.</p>
- <p class=note>This feature is not intended to be used with
- non-standard protocols.</p>
+ <p>If the <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code>
+ method is invoked with a scheme that is neither a
+ <a href=#whitelisted-scheme>whitelisted scheme</a> nor a scheme whose value starts
+ with the substring "<code title="">web+</code>" and otherwise
+ contains only characters in the range U+0061 LATIN SMALL LETTER A
+ to U+007A LATIN SMALL LETTER Z, the user agent must raise
+ <code><a href=#security_err>SECURITY_ERR</a></code> exception.</p>
+
+ <p>The following schemes are the <dfn id=whitelisted-scheme title="whitelisted
+ scheme">whitelisted schemes</dfn>:</p>
+
+ <ul class=brief><li><code title="">irc</code></li>
+ <li><code title="">mailto</code></li>
+ <li><code title="">mms</code></li>
+ <li><code title="">news</code></li>
+ <li><code title="">nntp</code></li>
+ <li><code title="">sms</code></li>
+ <li><code title="">smsto</code></li>
+ <li><code title="">tel</code></li>
+ <li><code title="">urn</code></li>
+ <li><code title="">webcal</code></li>
+ </ul><p class=note>This list can be changed. If there are schemes
+ that should be added, please send feedback.</p>
</dd>
@@ -70419,6 +70445,31 @@ interface <dfn id=navigatorcontentutils>NavigatorContentUtils</dfn> {
used by the user agent <em>after</em> the sniffing algorithms have
been applied.</p>
+ <p>If the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code>
+ method is invoked with a <a href=#mime-type>MIME type</a> that is in the
+ <a href=#type-blacklist>type blacklist</a> or that the user agent has deemed a
+ privileged type, the user agent must raise
+ <code><a href=#security_err>SECURITY_ERR</a></code> exception.</p>
+
+ <p>The following <a href=#mime-type title="MIME type">MIME types</a> are in
+ the <dfn id=type-blacklist>type blacklist</dfn>:</p>
+
+ <ul title=brief><li><code><a href=#text/cache-manifest>text/cache-manifest</a></code></li>
+ <li><code>text/css</code></li>
+ <li><code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
+ <li><code><a href=#text/html>text/html</a></code></li>
+ <li><code><a href=#text/ping>text/ping</a></code></li>
+ <li><code>text/plain</code></li>
+ <li><code><a href=#application/x-www-form-urlencoded>application/x-www-form-urlencoded</a></code></li>
+ <li><code>image/gif</code></li>
+ <li><code>image/jpeg</code></li>
+ <li><code>image/png</code></li>
+ <li>All <a href=#xml-mime-type title="XML MIME type">XML MIME types</a></li>
+ <li>All types that the user agent supports displaying natively in a <a href=#browsing-context>browsing context</a> during <a href=#navigate title=navigate>navigation</a></li>
+
+ </ul><p class=note>This list can be changed. If there are schemes
+ that should be added, please send feedback.</p>
+
</dd>
@@ -70447,6 +70498,14 @@ interface <dfn id=navigatorcontentutils>NavigatorContentUtils</dfn> {
&lt;query&gt; production defined in RFC 3986 by the
percent-encoded form of that character. <a href=#refsRFC3986>[RFC3986]</a></p>
+ <p>User agents must raise a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception if
+ the <var title="">url</var> argument passed to one of these
+ methods does not contain the exact literal string
+ "<code>%s</code>", or if <a href=#resolve-a-url title="resolve a
+ url">resolving</a> the <var title="">url</var> argument with
+ the first occurrence of the string "<code title="">%s</code>"
+ removed, relative to the <a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base URL</a>, is not successful.</p>
+
<div class=example>
<p>If the user had visited a site at <code title="">http://example.com/</code> that made the following
@@ -70483,24 +70542,7 @@ interface <dfn id=navigatorcontentutils>NavigatorContentUtils</dfn> {
</dd>
- </dl><p>User agents should raise <code><a href=#security_err>SECURITY_ERR</a></code> exceptions if
- the methods are called with <var title="">scheme</var> or <var title="">mimeType</var> values that the UA deems to be
- "privileged". For example, a site attempting to register a handler
- for <code>http</code> URLs or <code><a href=#text/html>text/html</a></code> content in a
- Web browser would likely cause an exception to be raised.</p>
-
- <p>User agents must raise a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception if the
- <var title="">url</var> argument passed to one of these methods does
- not contain the exact literal string "<code>%s</code>", or if <a href=#resolve-a-url title="resolve a url">resolving</a> the <var title="">url</var>
- argument with the first occurrence of the string "<code title="">%s</code>" removed, relative to the <a href=#entry-script>entry
- script</a>'s <a href="#script's-base-url" title="script's base URL">base URL</a>, is
- not successful.</p>
-
- <p>User agents must not raise any other exceptions (other than
- binding-specific exceptions, such as for an incorrect number of
- arguments in an JavaScript implementation).</p>
-
- <p>This section does not define how the pages registered by these
+ </dl><p>This section does not define how the pages registered by these
methods are used, beyond the requirements on how to process the <var title="">url</var> value (see above). To some extent, the <a href=#navigate title=navigate>processing model for navigating across
documents</a> defines some cases where these methods are
relevant, but in general UAs may use this information wherever they
@@ -93751,7 +93793,44 @@ if (s = prompt('What is your name?')) {
</dd>
<dt>Related information</dt>
<dd>None.</dd>
- </dl><!--PING--><h2 class=no-num id=index>Index</h2>
+ </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>15.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
+
+ <p>This section describes a convention for use with the IANA URI
+ scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
+
+ <dl><dt>URI scheme name</dt>
+ <dd>
+ Schemes starting with the four characters "<code title="">web+</code>" followed by one or more letters in the range
+ <code title="">a</code>-<code title="">z</code>.
+ </dd>
+ <dt>Status</dt>
+ <dd>permanent</dd>
+ <dt>URI scheme syntax</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>URI scheme semantics</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>Encoding considerations</dt>
+ <dd>All "<code title="">web+</code>" schemes should use UTF-8 encodings were relevant.</dd>
+ <dt>Applications/protocols that use this URI scheme name</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>Interoperability considerations</dt>
+ <dd>The scheme is expected to be used in the context of Web applications.</dd>
+ <dt>Security considerations</dt>
+ <dd>
+ Any Web page is able to register a handler for all "<code title="">web+</code>" schemes. As such, these schemes must not be
+ used for features intended to be core platform features (e.g.
+ network transfer protocols like HTTP or FTP). Similarly, such
+ schemes must not store confidential information in their URLs,
+ such as usernames, passwords, personal information, or
+ confidential project names.
+ </dd>
+ <dt>Contact</dt>
+ <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
+ <dt>Author/Change controller</dt>
+ <dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
+ <dt>References</dt>
+ <dd>W3C</dd>
+ </dl><h2 class=no-num id=index>Index</h2>
<div class=impl>
@@ -97326,6 +97405,9 @@ if (s = prompt('What is your name?')) {
<dd>(Non-normative) <cite><a href=http://tools.ietf.org/html/rfc4329>Scripting Media
Types</a></cite>, B. H&ouml;hrmann. IETF.</dd>
+ <dt id=refsRFC4395>[RFC4395]</dt>
+ <dd><cite><a href=http://tools.ietf.org/html/rfc4395>Guidelines and Registration Procedures for New URI Schemes</a></cite>, T. Hansen, T. Hardie, L. Masinter. IETF.</dd>
+
<dt id=refsRFC4648>[RFC4648]</dt>
<dd><cite><a href=http://tools.ietf.org/html/rfc4648>The Base16,
Base32, and Base64 Data Encodings</a></cite>, S. Josefsson.
@@ -97795,6 +97877,7 @@ if (s = prompt('What is your name?')) {
James Craig,
James Graham,
James Justin Harrell,
+ James Kozianski,
James M Snell,
James Perrett,
James Robinson,
@@ -98100,6 +98183,7 @@ if (s = prompt('What is your name?')) {
Wayne Pollock,
Wellington Fernando de Macedo,
Weston Ruter,
+ Wilhelm Joys Andersen,
Will Levine,
William Swanson,
Wladimir Palant,
View
143 source
@@ -80196,7 +80196,11 @@ interface <dfn>NavigatorContentUtils</dfn> {
the user is not repeatedly prompted with the same request.</p>
<p>The arguments to the methods have the following meanings and
- corresponding implementation requirements:</p>
+ corresponding implementation requirements. The requirements that
+ involve throwing exceptions must be processed in the order given
+ below, stopping at the first exception raised. (So the
+ <code>SECURITY_ERR</code> exceptions take precedence over the
+ <code>SYNTAX_ERR</code> exception.)</p>
<dl>
@@ -80214,8 +80218,33 @@ interface <dfn>NavigatorContentUtils</dfn> {
(as in "<code>ftp:</code>"), will never match anything, since
schemes don't contain colons.</p>
- <p class="note">This feature is not intended to be used with
- non-standard protocols.</p>
+ <p>If the <code
+ title="dom-navigator-registerProtocolHandler">registerProtocolHandler()</code>
+ method is invoked with a scheme that is neither a
+ <span>whitelisted scheme</span> nor a scheme whose value starts
+ with the substring "<code title="">web+</code>" and otherwise
+ contains only characters in the range U+0061 LATIN SMALL LETTER A
+ to U+007A LATIN SMALL LETTER Z, the user agent must raise
+ <code>SECURITY_ERR</code> exception.</p>
+
+ <p>The following schemes are the <dfn title="whitelisted
+ scheme">whitelisted schemes</dfn>:</p>
+
+ <ul class="brief">
+ <li><code title="">irc</code></li>
+ <li><code title="">mailto</code></li>
+ <li><code title="">mms</code></li>
+ <li><code title="">news</code></li>
+ <li><code title="">nntp</code></li>
+ <li><code title="">sms</code></li>
+ <li><code title="">smsto</code></li>
+ <li><code title="">tel</code></li>
+ <li><code title="">urn</code></li>
+ <li><code title="">webcal</code></li>
+ </ul>
+
+ <p class="note">This list can be changed. If there are schemes
+ that should be added, please send feedback.</p>
</dd>
@@ -80242,6 +80271,36 @@ interface <dfn>NavigatorContentUtils</dfn> {
used by the user agent <em>after</em> the sniffing algorithms have
been applied.</p>
+ <p>If the <code
+ title="dom-navigator-registerContentHandler">registerContentHandler()</code>
+ method is invoked with a <span>MIME type</span> that is in the
+ <span>type blacklist</span> or that the user agent has deemed a
+ privileged type, the user agent must raise
+ <code>SECURITY_ERR</code> exception.</p>
+
+ <p>The following <span title="MIME type">MIME types</span> are in
+ the <dfn>type blacklist</dfn>:</p>
+
+ <ul title="brief">
+
+ <li><code>text/cache-manifest</code></li>
+ <li><code>text/css</code></li>
+ <li><code>text/html-sandboxed</code></li>
+ <li><code>text/html</code></li>
+ <li><code>text/ping</code></li>
+ <li><code>text/plain</code></li>
+ <li><code>application/x-www-form-urlencoded</code></li>
+ <li><code>image/gif</code></li>
+ <li><code>image/jpeg</code></li>
+ <li><code>image/png</code></li>
+ <li>All <span title="XML MIME type">XML MIME types</span></li>
+ <li>All types that the user agent supports displaying natively in a <span>browsing context</span> during <span title="navigate">navigation</span></li>
+
+ </ul>
+
+ <p class="note">This list can be changed. If there are schemes
+ that should be added, please send feedback.</p>
+
</dd>
@@ -80275,6 +80334,15 @@ interface <dfn>NavigatorContentUtils</dfn> {
percent-encoded form of that character. <a
href="#refsRFC3986">[RFC3986]</a></p>
+ <p>User agents must raise a <code>SYNTAX_ERR</code> exception if
+ the <var title="">url</var> argument passed to one of these
+ methods does not contain the exact literal string
+ "<code>%s</code>", or if <span title="resolve a
+ url">resolving</span> the <var title="">url</var> argument with
+ the first occurrence of the string "<code title="">%s</code>"
+ removed, relative to the <span>entry script</span>'s <span
+ title="script's base URL">base URL</span>, is not successful.</p>
+
<div class="example">
<p>If the user had visited a site at <code
@@ -80315,26 +80383,6 @@ interface <dfn>NavigatorContentUtils</dfn> {
</dl>
- <p>User agents should raise <code>SECURITY_ERR</code> exceptions if
- the methods are called with <var title="">scheme</var> or <var
- title="">mimeType</var> values that the UA deems to be
- "privileged". For example, a site attempting to register a handler
- for <code>http</code> URLs or <code>text/html</code> content in a
- Web browser would likely cause an exception to be raised.</p>
-
- <p>User agents must raise a <code>SYNTAX_ERR</code> exception if the
- <var title="">url</var> argument passed to one of these methods does
- not contain the exact literal string "<code>%s</code>", or if <span
- title="resolve a url">resolving</span> the <var title="">url</var>
- argument with the first occurrence of the string "<code
- title="">%s</code>" removed, relative to the <span>entry
- script</span>'s <span title="script's base URL">base URL</span>, is
- not successful.</p>
-
- <p>User agents must not raise any other exceptions (other than
- binding-specific exceptions, such as for an incorrect number of
- arguments in an JavaScript implementation).</p>
-
<p>This section does not define how the pages registered by these
methods are used, beyond the requirements on how to process the <var
title="">url</var> value (see above). To some extent, the <span
@@ -111509,6 +111557,50 @@ if (s = prompt('What is your name?')) {
<!--START w3c-html--><!--PING-->
+ <h3><dfn title="scheme-web"><code>web+</code> scheme prefix</dfn></h3>
+
+ <p>This section describes a convention for use with the IANA URI
+ scheme registry. It does not itself register a specific scheme. <a
+ href="#refsRFC4395">[RFC4395]</a></p>
+
+ <dl>
+ <dt>URI scheme name</dt>
+ <dd>
+ Schemes starting with the four characters "<code
+ title="">web+</code>" followed by one or more letters in the range
+ <code title="">a</code>-<code title="">z</code>.
+ </dd>
+ <dt>Status</dt>
+ <dd>permanent</dd>
+ <dt>URI scheme syntax</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>URI scheme semantics</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>Encoding considerations</dt>
+ <dd>All "<code title="">web+</code>" schemes should use UTF-8 encodings were relevant.</dd>
+ <dt>Applications/protocols that use this URI scheme name</dt>
+ <dd>Scheme-specific.</dd>
+ <dt>Interoperability considerations</dt>
+ <dd>The scheme is expected to be used in the context of Web applications.</dd>
+ <dt>Security considerations</dt>
+ <dd>
+ Any Web page is able to register a handler for all "<code
+ title="">web+</code>" schemes. As such, these schemes must not be
+ used for features intended to be core platform features (e.g.
+ network transfer protocols like HTTP or FTP). Similarly, such
+ schemes must not store confidential information in their URLs,
+ such as usernames, passwords, personal information, or
+ confidential project names.
+ </dd>
+ <dt>Contact</dt>
+ <dd>Ian Hickson &lt;ian@hixie.ch></dd>
+ <dt>Author/Change controller</dt>
+ <dd>Ian Hickson &lt;ian@hixie.ch></dd>
+ <dt>References</dt>
+ <dd>W3C</dd>
+ </dl>
+
+
<h2 id="index" class="no-num">Index</h2>
<div class="impl">
@@ -115934,6 +116026,9 @@ if (s = prompt('What is your name?')) {
Layer Security (TLS) Extensions</a></cite>, S. Blake-Wilson,
M. Nystrom, D. Hopwood, J. Mikkelsen, T. Wright. IETF.</dd>
+ <dt id="refsRFC4395">[RFC4395]</dt>
+ <dd><cite><a href="http://tools.ietf.org/html/rfc4395">Guidelines and Registration Procedures for New URI Schemes</a></cite>, T. Hansen, T. Hardie, L. Masinter. IETF.</dd>
+
<dt id="refsRFC4648">[RFC4648]</dt>
<dd><cite><a href="http://tools.ietf.org/html/rfc4648">The Base16,
Base32, and Base64 Data Encodings</a></cite>, S. Josefsson.
@@ -116474,6 +116569,7 @@ if (s = prompt('What is your name?')) {
James Craig,
James Graham,
James Justin Harrell,
+ James Kozianski,
James M Snell,
James Perrett,
James Robinson,
@@ -116779,6 +116875,7 @@ if (s = prompt('What is your name?')) {
Wayne Pollock,
Wellington Fernando de Macedo,
Weston Ruter,
+ Wilhelm Joys Andersen,
Will Levine,
William Swanson,
Wladimir Palant,

0 comments on commit 8a36e83

Please sign in to comment.