Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add FTP related protocols to the registerProtocolHandler safelist. #6584

Merged
merged 1 commit into from Feb 14, 2022
Merged

Add FTP related protocols to the registerProtocolHandler safelist. #6584

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 10 additions & 8 deletions source
View file
Open in desktop
Expand Up @@ -98314,6 +98314,12 @@ interface <dfn interface>Navigator</dfn> {
<li><p>Assert: <var>inputURL</var>'s <span data-x="concept-url-scheme">scheme</span> is
<var>normalizedScheme</var>.</p></li>

<li><p><span data-x="set the username">Set the username</span> given <var>inputURL</var> and
the empty string.</p></li>
asankah marked this conversation as resolved.
Show resolved Hide resolved

asankah marked this conversation as resolved.
Show resolved Hide resolved
<li><p><span data-x="set the password">Set the password</span> given <var>inputURL</var> and
the empty string.</p></li>

<li><p>Let <var>inputURLString</var> be the <span
asankah marked this conversation as resolved.
Show resolved Hide resolved
data-x="concept-url-serializer">serialization</span> of <var>inputURL</var>.</p></li>

Expand Down Expand Up @@ -98395,6 +98401,8 @@ interface <dfn interface>Navigator</dfn> {

<ul class="brief">
<li><code data-x="">bitcoin</code></li> <!-- https://en.bitcoin.it/wiki/BIP_0021 -->
<li><code data-x="">ftp</code></li>
<li><code data-x="">ftps</code></li>
<li><code data-x="">geo</code></li>
<li><code data-x="">im</code></li>
<li><code data-x="">irc</code></li>
Expand All @@ -98406,6 +98414,7 @@ interface <dfn interface>Navigator</dfn> {
<li><code data-x="">news</code></li>
<li><code data-x="">nntp</code></li>
<li><code data-x="">openpgp4fpr</code></li>
<li><code data-x="">sftp</code></li>
<li><code data-x="">sip</code></li>
<li><code data-x="">sms</code></li>
<li><code data-x="">smsto</code></li>
Expand Down Expand Up @@ -98495,14 +98504,6 @@ interface <dfn interface>Navigator</dfn> {
allowing administrators to disable custom handlers on certain subdomains, content types, or
schemes.</p>

<p><strong>Leaking credentials.</strong> User agents must never send username or password
Copy link
Contributor Author

@asankah asankah Feb 7, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that I removed the Leaking Credentials section since it is addressed in the processing steps.

The part about resources that may require credentials is, I believe, addressed in the "Leaking private data" section which warns about private URLs in general.

information in the URLs that are escaped and included sent to the handler sites. User agents may
even avoid attempting to pass to web-based handlers the URLs of resources that are known to
require authentication to access, as such sites would be unable to access the resources in
question without prompting the user for credentials themselves (a practice that would require the
user to know whether to trust the third-party handler, a decision many users are unable to make or
even understand).</p>

<p><strong>Interface interference.</strong> User agents should be prepared to handle intentionally
long arguments to the methods. For example, if the user interface exposed consists of an "accept"
button and a "deny" button, with the "accept" binding containing the name of the handler, it's
Expand Down Expand Up @@ -127503,6 +127504,7 @@ INSERT INTERFACES HERE
Arthur Stolyar,
Arun Patole,
Aryeh Gregor,
Asanka Herath,
Asbj&oslash;rn Ulsberg,
Ashley Gullen,
Ashley Sheridan,
Expand Down