[html5] r6523 - [giow] (1) registerProtocolHandler() and registerContentHandler() security updates

whatwg at whatwg.org whatwg at whatwg.org
Tue Aug 23 16:27:19 PDT 2011


Author: ianh
Date: 2011-08-23 16:27:17 -0700 (Tue, 23 Aug 2011)
New Revision: 6523

Modified:
   complete.html
   index
   source
Log:
[giow] (1) registerProtocolHandler() and registerContentHandler() security updates

Modified: complete.html
===================================================================
--- complete.html	2011-08-23 00:08:33 UTC (rev 6522)
+++ complete.html	2011-08-23 23:27:17 UTC (rev 6523)
@@ -1358,7 +1358,8 @@
    <li><a href=#application/microdata+json><span class=secno>17.8 </span><code>application/microdata+json</code></a></li>
    <li><a href=#application/html-peer-connection-data><span class=secno>17.9 </span><code>application/html-peer-connection-data</code></a></li>
    <li><a href=#ping-from><span class=secno>17.10 </span><code>Ping-From</code></a></li>
-   <li><a href=#ping-to><span class=secno>17.11 </span><code>Ping-To</code></a></ol></li>
+   <li><a href=#ping-to><span class=secno>17.11 </span><code>Ping-To</code></a></li>
+   <li><a href=#web+-scheme-prefix><span class=secno>17.12 </span><code>web+</code> scheme prefix</a></ol></li>
  <li><a class=no-num href=#index>Index</a>
   <ol>
    <li><a class=no-num href=#elements-1>Elements</a></li>
@@ -70485,7 +70486,11 @@
   the user is not repeatedly prompted with the same request.</p>
 
   <p>The arguments to the methods have the following meanings and
-  corresponding implementation requirements:</p>
+  corresponding implementation requirements. The requirements that
+  involve throwing exceptions must be processed in the order given
+  below, stopping at the first exception raised. (So the
+  <code><a href=#security_err>SECURITY_ERR</a></code> exceptions take precedence over the
+  <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception.)</p>
 
   <dl><dt><var title="">scheme</var> (<code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code> only)</dt>
 
@@ -70501,9 +70506,30 @@
     (as in "<code>ftp:</code>"), will never match anything, since
     schemes don't contain colons.</p>
 
-    <p class=note>This feature is not intended to be used with
-    non-standard protocols.</p>
+    <p>If the <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code>
+    method is invoked with a scheme that is neither a
+    <a href=#whitelisted-scheme>whitelisted scheme</a> nor a scheme whose value starts
+    with the substring "<code title="">web+</code>" and otherwise
+    contains only characters in the range U+0061 LATIN SMALL LETTER A
+    to U+007A LATIN SMALL LETTER Z, the user agent must raise
+    <code><a href=#security_err>SECURITY_ERR</a></code> exception.</p>
 
+    <p>The following schemes are the <dfn id=whitelisted-scheme title="whitelisted
+    scheme">whitelisted schemes</dfn>:</p>
+
+    <ul class=brief><li><code title="">irc</code></li>
+     <li><code title="">mailto</code></li>
+     <li><code title="">mms</code></li>
+     <li><code title="">news</code></li>
+     <li><code title="">nntp</code></li>
+     <li><code title="">sms</code></li>
+     <li><code title="">smsto</code></li>
+     <li><code title="">tel</code></li>
+     <li><code title="">urn</code></li>
+     <li><code title="">webcal</code></li>
+    </ul><p class=note>This list can be changed. If there are schemes
+    that should be added, please send feedback.</p>
+
    </dd>
 
    <dt><var title="">mimeType</var> (<code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code> only)</dt>
@@ -70529,6 +70555,31 @@
     used by the user agent <em>after</em> the sniffing algorithms have
     been applied.</p>
 
+    <p>If the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code>
+    method is invoked with a <a href=#mime-type>MIME type</a> that is in the
+    <a href=#type-blacklist>type blacklist</a> or that the user agent has deemed a
+    privileged type, the user agent must raise
+    <code><a href=#security_err>SECURITY_ERR</a></code> exception.</p>
+
+    <p>The following <a href=#mime-type title="MIME type">MIME types</a> are in
+    the <dfn id=type-blacklist>type blacklist</dfn>:</p>
+
+    <ul title=brief><li><code><a href=#text/cache-manifest>text/cache-manifest</a></code></li>
+     <li><code>text/css</code></li>
+     <li><code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
+     <li><code><a href=#text/html>text/html</a></code></li>
+     <li><code><a href=#text/ping>text/ping</a></code></li>
+     <li><code>text/plain</code></li>
+     <li><code><a href=#application/x-www-form-urlencoded>application/x-www-form-urlencoded</a></code></li>
+     <li><code>image/gif</code></li>
+     <li><code>image/jpeg</code></li>
+     <li><code>image/png</code></li>
+     <li>All <a href=#xml-mime-type title="XML MIME type">XML MIME types</a></li>
+     <li>All types that the user agent supports displaying natively in a <a href=#browsing-context>browsing context</a> during <a href=#navigate title=navigate>navigation</a></li>
+
+    </ul><p class=note>This list can be changed. If there are schemes
+    that should be added, please send feedback.</p>
+
    </dd>
 
 
@@ -70557,6 +70608,14 @@
     <query> production defined in RFC 3986 by the
     percent-encoded form of that character. <a href=#refsRFC3986>[RFC3986]</a></p>
 
+    <p>User agents must raise a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception if
+    the <var title="">url</var> argument passed to one of these
+    methods does not contain the exact literal string
+    "<code>%s</code>", or if <a href=#resolve-a-url title="resolve a
+    url">resolving</a> the <var title="">url</var> argument with
+    the first occurrence of the string "<code title="">%s</code>"
+    removed, relative to the <a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base URL</a>, is not successful.</p>
+
     <div class=example>
 
      <p>If the user had visited a site at <code title="">http://example.com/</code> that made the following
@@ -70593,24 +70652,7 @@
 
    </dd>
 
-  </dl><p>User agents should raise <code><a href=#security_err>SECURITY_ERR</a></code> exceptions if
-  the methods are called with <var title="">scheme</var> or <var title="">mimeType</var> values that the UA deems to be
-  "privileged". For example, a site attempting to register a handler
-  for <code>http</code> URLs or <code><a href=#text/html>text/html</a></code> content in a
-  Web browser would likely cause an exception to be raised.</p>
-
-  <p>User agents must raise a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception if the
-  <var title="">url</var> argument passed to one of these methods does
-  not contain the exact literal string "<code>%s</code>", or if <a href=#resolve-a-url title="resolve a url">resolving</a> the <var title="">url</var>
-  argument with the first occurrence of the string "<code title="">%s</code>" removed, relative to the <a href=#entry-script>entry
-  script</a>'s <a href="#script's-base-url" title="script's base URL">base URL</a>, is
-  not successful.</p>
-
-  <p>User agents must not raise any other exceptions (other than
-  binding-specific exceptions, such as for an incorrect number of
-  arguments in an JavaScript implementation).</p>
-
-  <p>This section does not define how the pages registered by these
+  </dl><p>This section does not define how the pages registered by these
   methods are used, beyond the requirements on how to process the <var title="">url</var> value (see above). To some extent, the <a href=#navigate title=navigate>processing model for navigating across
   documents</a> defines some cases where these methods are
   relevant, but in general UAs may use this information wherever they
@@ -98304,8 +98346,45 @@
    </dd>
    <dt>Related information</dt>
    <dd>None.</dd>
-  </dl><!--PING--><h2 class=no-num id=index>Index</h2>
+  </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>17.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
 
+  <p>This section describes a convention for use with the IANA URI
+  scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
+
+  <dl><dt>URI scheme name</dt>
+   <dd>
+    Schemes starting with the four characters "<code title="">web+</code>" followed by one or more letters in the range
+    <code title="">a</code>-<code title="">z</code>.
+   </dd>
+   <dt>Status</dt>
+   <dd>permanent</dd>
+   <dt>URI scheme syntax</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>URI scheme semantics</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>Encoding considerations</dt>
+   <dd>All "<code title="">web+</code>" schemes should use UTF-8 encodings were relevant.</dd>
+   <dt>Applications/protocols that use this URI scheme name</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>Interoperability considerations</dt>
+   <dd>The scheme is expected to be used in the context of Web applications.</dd>
+   <dt>Security considerations</dt>
+   <dd>
+    Any Web page is able to register a handler for all "<code title="">web+</code>" schemes. As such, these schemes must not be
+    used for features intended to be core platform features (e.g.
+    network transfer protocols like HTTP or FTP). Similarly, such
+    schemes must not store confidential information in their URLs,
+    such as usernames, passwords, personal information, or
+    confidential project names.
+   </dd>
+   <dt>Contact</dt>
+   <dd>Ian Hickson <ian at hixie.ch></dd>
+   <dt>Author/Change controller</dt>
+   <dd>Ian Hickson <ian at hixie.ch></dd>
+   <dt>References</dt>
+   <dd>W3C</dd>
+  </dl><h2 class=no-num id=index>Index</h2>
+
   <div class=impl>
 
   <p>The following sections only cover conforming elements and features.</p>
@@ -101734,6 +101813,9 @@
    <dd>(Non-normative) <cite><a href=http://tools.ietf.org/html/rfc4329>Scripting Media
    Types</a></cite>, B. Höhrmann. IETF.</dd>
 
+   <dt id=refsRFC4395>[RFC4395]</dt>
+   <dd><cite><a href=http://tools.ietf.org/html/rfc4395>Guidelines and Registration Procedures for New URI Schemes</a></cite>, T. Hansen, T. Hardie, L. Masinter. IETF.</dd>
+
    <dt id=refsRFC4648>[RFC4648]</dt>
    <dd><cite><a href=http://tools.ietf.org/html/rfc4648>The Base16,
    Base32, and Base64 Data Encodings</a></cite>, S. Josefsson.
@@ -102187,6 +102269,7 @@
   James Craig,
   James Graham,
   James Justin Harrell,
+  James Kozianski,
   James M Snell,
   James Perrett,
   James Robinson,
@@ -102492,6 +102575,7 @@
   Wayne Pollock,
   Wellington Fernando de Macedo,
   Weston Ruter,
+  Wilhelm Joys Andersen,
   Will Levine,
   William Swanson,
   Wladimir Palant,

Modified: index
===================================================================
--- index	2011-08-23 00:08:33 UTC (rev 6522)
+++ index	2011-08-23 23:27:17 UTC (rev 6523)
@@ -1271,7 +1271,8 @@
    <li><a href=#application/microdata+json><span class=secno>15.8 </span><code>application/microdata+json</code></a></li>
    <li><a href=#application/html-peer-connection-data><span class=secno>15.9 </span><code>application/html-peer-connection-data</code></a></li>
    <li><a href=#ping-from><span class=secno>15.10 </span><code>Ping-From</code></a></li>
-   <li><a href=#ping-to><span class=secno>15.11 </span><code>Ping-To</code></a></ol></li>
+   <li><a href=#ping-to><span class=secno>15.11 </span><code>Ping-To</code></a></li>
+   <li><a href=#web+-scheme-prefix><span class=secno>15.12 </span><code>web+</code> scheme prefix</a></ol></li>
  <li><a class=no-num href=#index>Index</a>
   <ol>
    <li><a class=no-num href=#elements-1>Elements</a></li>
@@ -70375,7 +70376,11 @@
   the user is not repeatedly prompted with the same request.</p>
 
   <p>The arguments to the methods have the following meanings and
-  corresponding implementation requirements:</p>
+  corresponding implementation requirements. The requirements that
+  involve throwing exceptions must be processed in the order given
+  below, stopping at the first exception raised. (So the
+  <code><a href=#security_err>SECURITY_ERR</a></code> exceptions take precedence over the
+  <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception.)</p>
 
   <dl><dt><var title="">scheme</var> (<code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code> only)</dt>
 
@@ -70391,9 +70396,30 @@
     (as in "<code>ftp:</code>"), will never match anything, since
     schemes don't contain colons.</p>
 
-    <p class=note>This feature is not intended to be used with
-    non-standard protocols.</p>
+    <p>If the <code title=dom-navigator-registerProtocolHandler><a href=#dom-navigator-registerprotocolhandler>registerProtocolHandler()</a></code>
+    method is invoked with a scheme that is neither a
+    <a href=#whitelisted-scheme>whitelisted scheme</a> nor a scheme whose value starts
+    with the substring "<code title="">web+</code>" and otherwise
+    contains only characters in the range U+0061 LATIN SMALL LETTER A
+    to U+007A LATIN SMALL LETTER Z, the user agent must raise
+    <code><a href=#security_err>SECURITY_ERR</a></code> exception.</p>
 
+    <p>The following schemes are the <dfn id=whitelisted-scheme title="whitelisted
+    scheme">whitelisted schemes</dfn>:</p>
+
+    <ul class=brief><li><code title="">irc</code></li>
+     <li><code title="">mailto</code></li>
+     <li><code title="">mms</code></li>
+     <li><code title="">news</code></li>
+     <li><code title="">nntp</code></li>
+     <li><code title="">sms</code></li>
+     <li><code title="">smsto</code></li>
+     <li><code title="">tel</code></li>
+     <li><code title="">urn</code></li>
+     <li><code title="">webcal</code></li>
+    </ul><p class=note>This list can be changed. If there are schemes
+    that should be added, please send feedback.</p>
+
    </dd>
 
    <dt><var title="">mimeType</var> (<code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code> only)</dt>
@@ -70419,6 +70445,31 @@
     used by the user agent <em>after</em> the sniffing algorithms have
     been applied.</p>
 
+    <p>If the <code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code>
+    method is invoked with a <a href=#mime-type>MIME type</a> that is in the
+    <a href=#type-blacklist>type blacklist</a> or that the user agent has deemed a
+    privileged type, the user agent must raise
+    <code><a href=#security_err>SECURITY_ERR</a></code> exception.</p>
+
+    <p>The following <a href=#mime-type title="MIME type">MIME types</a> are in
+    the <dfn id=type-blacklist>type blacklist</dfn>:</p>
+
+    <ul title=brief><li><code><a href=#text/cache-manifest>text/cache-manifest</a></code></li>
+     <li><code>text/css</code></li>
+     <li><code><a href=#text/html-sandboxed>text/html-sandboxed</a></code></li>
+     <li><code><a href=#text/html>text/html</a></code></li>
+     <li><code><a href=#text/ping>text/ping</a></code></li>
+     <li><code>text/plain</code></li>
+     <li><code><a href=#application/x-www-form-urlencoded>application/x-www-form-urlencoded</a></code></li>
+     <li><code>image/gif</code></li>
+     <li><code>image/jpeg</code></li>
+     <li><code>image/png</code></li>
+     <li>All <a href=#xml-mime-type title="XML MIME type">XML MIME types</a></li>
+     <li>All types that the user agent supports displaying natively in a <a href=#browsing-context>browsing context</a> during <a href=#navigate title=navigate>navigation</a></li>
+
+    </ul><p class=note>This list can be changed. If there are schemes
+    that should be added, please send feedback.</p>
+
    </dd>
 
 
@@ -70447,6 +70498,14 @@
     <query> production defined in RFC 3986 by the
     percent-encoded form of that character. <a href=#refsRFC3986>[RFC3986]</a></p>
 
+    <p>User agents must raise a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception if
+    the <var title="">url</var> argument passed to one of these
+    methods does not contain the exact literal string
+    "<code>%s</code>", or if <a href=#resolve-a-url title="resolve a
+    url">resolving</a> the <var title="">url</var> argument with
+    the first occurrence of the string "<code title="">%s</code>"
+    removed, relative to the <a href=#entry-script>entry script</a>'s <a href="#script's-base-url" title="script's base URL">base URL</a>, is not successful.</p>
+
     <div class=example>
 
      <p>If the user had visited a site at <code title="">http://example.com/</code> that made the following
@@ -70483,24 +70542,7 @@
 
    </dd>
 
-  </dl><p>User agents should raise <code><a href=#security_err>SECURITY_ERR</a></code> exceptions if
-  the methods are called with <var title="">scheme</var> or <var title="">mimeType</var> values that the UA deems to be
-  "privileged". For example, a site attempting to register a handler
-  for <code>http</code> URLs or <code><a href=#text/html>text/html</a></code> content in a
-  Web browser would likely cause an exception to be raised.</p>
-
-  <p>User agents must raise a <code><a href=#syntax_err>SYNTAX_ERR</a></code> exception if the
-  <var title="">url</var> argument passed to one of these methods does
-  not contain the exact literal string "<code>%s</code>", or if <a href=#resolve-a-url title="resolve a url">resolving</a> the <var title="">url</var>
-  argument with the first occurrence of the string "<code title="">%s</code>" removed, relative to the <a href=#entry-script>entry
-  script</a>'s <a href="#script's-base-url" title="script's base URL">base URL</a>, is
-  not successful.</p>
-
-  <p>User agents must not raise any other exceptions (other than
-  binding-specific exceptions, such as for an incorrect number of
-  arguments in an JavaScript implementation).</p>
-
-  <p>This section does not define how the pages registered by these
+  </dl><p>This section does not define how the pages registered by these
   methods are used, beyond the requirements on how to process the <var title="">url</var> value (see above). To some extent, the <a href=#navigate title=navigate>processing model for navigating across
   documents</a> defines some cases where these methods are
   relevant, but in general UAs may use this information wherever they
@@ -93751,8 +93793,45 @@
    </dd>
    <dt>Related information</dt>
    <dd>None.</dd>
-  </dl><!--PING--><h2 class=no-num id=index>Index</h2>
+  </dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>15.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
 
+  <p>This section describes a convention for use with the IANA URI
+  scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
+
+  <dl><dt>URI scheme name</dt>
+   <dd>
+    Schemes starting with the four characters "<code title="">web+</code>" followed by one or more letters in the range
+    <code title="">a</code>-<code title="">z</code>.
+   </dd>
+   <dt>Status</dt>
+   <dd>permanent</dd>
+   <dt>URI scheme syntax</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>URI scheme semantics</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>Encoding considerations</dt>
+   <dd>All "<code title="">web+</code>" schemes should use UTF-8 encodings were relevant.</dd>
+   <dt>Applications/protocols that use this URI scheme name</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>Interoperability considerations</dt>
+   <dd>The scheme is expected to be used in the context of Web applications.</dd>
+   <dt>Security considerations</dt>
+   <dd>
+    Any Web page is able to register a handler for all "<code title="">web+</code>" schemes. As such, these schemes must not be
+    used for features intended to be core platform features (e.g.
+    network transfer protocols like HTTP or FTP). Similarly, such
+    schemes must not store confidential information in their URLs,
+    such as usernames, passwords, personal information, or
+    confidential project names.
+   </dd>
+   <dt>Contact</dt>
+   <dd>Ian Hickson <ian at hixie.ch></dd>
+   <dt>Author/Change controller</dt>
+   <dd>Ian Hickson <ian at hixie.ch></dd>
+   <dt>References</dt>
+   <dd>W3C</dd>
+  </dl><h2 class=no-num id=index>Index</h2>
+
   <div class=impl>
 
   <p>The following sections only cover conforming elements and features.</p>
@@ -97326,6 +97405,9 @@
    <dd>(Non-normative) <cite><a href=http://tools.ietf.org/html/rfc4329>Scripting Media
    Types</a></cite>, B. Höhrmann. IETF.</dd>
 
+   <dt id=refsRFC4395>[RFC4395]</dt>
+   <dd><cite><a href=http://tools.ietf.org/html/rfc4395>Guidelines and Registration Procedures for New URI Schemes</a></cite>, T. Hansen, T. Hardie, L. Masinter. IETF.</dd>
+
    <dt id=refsRFC4648>[RFC4648]</dt>
    <dd><cite><a href=http://tools.ietf.org/html/rfc4648>The Base16,
    Base32, and Base64 Data Encodings</a></cite>, S. Josefsson.
@@ -97795,6 +97877,7 @@
   James Craig,
   James Graham,
   James Justin Harrell,
+  James Kozianski,
   James M Snell,
   James Perrett,
   James Robinson,
@@ -98100,6 +98183,7 @@
   Wayne Pollock,
   Wellington Fernando de Macedo,
   Weston Ruter,
+  Wilhelm Joys Andersen,
   Will Levine,
   William Swanson,
   Wladimir Palant,

Modified: source
===================================================================
--- source	2011-08-23 00:08:33 UTC (rev 6522)
+++ source	2011-08-23 23:27:17 UTC (rev 6523)
@@ -80196,7 +80196,11 @@
   the user is not repeatedly prompted with the same request.</p>
 
   <p>The arguments to the methods have the following meanings and
-  corresponding implementation requirements:</p>
+  corresponding implementation requirements. The requirements that
+  involve throwing exceptions must be processed in the order given
+  below, stopping at the first exception raised. (So the
+  <code>SECURITY_ERR</code> exceptions take precedence over the
+  <code>SYNTAX_ERR</code> exception.)</p>
 
   <dl>
 
@@ -80214,9 +80218,34 @@
     (as in "<code>ftp:</code>"), will never match anything, since
     schemes don't contain colons.</p>
 
-    <p class="note">This feature is not intended to be used with
-    non-standard protocols.</p>
+    <p>If the <code
+    title="dom-navigator-registerProtocolHandler">registerProtocolHandler()</code>
+    method is invoked with a scheme that is neither a
+    <span>whitelisted scheme</span> nor a scheme whose value starts
+    with the substring "<code title="">web+</code>" and otherwise
+    contains only characters in the range U+0061 LATIN SMALL LETTER A
+    to U+007A LATIN SMALL LETTER Z, the user agent must raise
+    <code>SECURITY_ERR</code> exception.</p>
 
+    <p>The following schemes are the <dfn title="whitelisted
+    scheme">whitelisted schemes</dfn>:</p>
+
+    <ul class="brief">
+     <li><code title="">irc</code></li>
+     <li><code title="">mailto</code></li>
+     <li><code title="">mms</code></li>
+     <li><code title="">news</code></li>
+     <li><code title="">nntp</code></li>
+     <li><code title="">sms</code></li>
+     <li><code title="">smsto</code></li>
+     <li><code title="">tel</code></li>
+     <li><code title="">urn</code></li>
+     <li><code title="">webcal</code></li>
+    </ul>
+
+    <p class="note">This list can be changed. If there are schemes
+    that should be added, please send feedback.</p>
+
    </dd>
 
    <dt><var title="">mimeType</var> (<code title="dom-navigator-registerContentHandler">registerContentHandler()</code> only)</dt>
@@ -80242,6 +80271,36 @@
     used by the user agent <em>after</em> the sniffing algorithms have
     been applied.</p>
 
+    <p>If the <code
+    title="dom-navigator-registerContentHandler">registerContentHandler()</code>
+    method is invoked with a <span>MIME type</span> that is in the
+    <span>type blacklist</span> or that the user agent has deemed a
+    privileged type, the user agent must raise
+    <code>SECURITY_ERR</code> exception.</p>
+
+    <p>The following <span title="MIME type">MIME types</span> are in
+    the <dfn>type blacklist</dfn>:</p>
+
+    <ul title="brief">
+
+     <li><code>text/cache-manifest</code></li>
+     <li><code>text/css</code></li>
+     <li><code>text/html-sandboxed</code></li>
+     <li><code>text/html</code></li>
+     <li><code>text/ping</code></li>
+     <li><code>text/plain</code></li>
+     <li><code>application/x-www-form-urlencoded</code></li>
+     <li><code>image/gif</code></li>
+     <li><code>image/jpeg</code></li>
+     <li><code>image/png</code></li>
+     <li>All <span title="XML MIME type">XML MIME types</span></li>
+     <li>All types that the user agent supports displaying natively in a <span>browsing context</span> during <span title="navigate">navigation</span></li>
+
+    </ul>
+
+    <p class="note">This list can be changed. If there are schemes
+    that should be added, please send feedback.</p>
+
    </dd>
 
 
@@ -80275,6 +80334,15 @@
     percent-encoded form of that character. <a
     href="#refsRFC3986">[RFC3986]</a></p>
 
+    <p>User agents must raise a <code>SYNTAX_ERR</code> exception if
+    the <var title="">url</var> argument passed to one of these
+    methods does not contain the exact literal string
+    "<code>%s</code>", or if <span title="resolve a
+    url">resolving</span> the <var title="">url</var> argument with
+    the first occurrence of the string "<code title="">%s</code>"
+    removed, relative to the <span>entry script</span>'s <span
+    title="script's base URL">base URL</span>, is not successful.</p>
+
     <div class="example">
 
      <p>If the user had visited a site at <code
@@ -80315,26 +80383,6 @@
 
   </dl>
 
-  <p>User agents should raise <code>SECURITY_ERR</code> exceptions if
-  the methods are called with <var title="">scheme</var> or <var
-  title="">mimeType</var> values that the UA deems to be
-  "privileged". For example, a site attempting to register a handler
-  for <code>http</code> URLs or <code>text/html</code> content in a
-  Web browser would likely cause an exception to be raised.</p>
-
-  <p>User agents must raise a <code>SYNTAX_ERR</code> exception if the
-  <var title="">url</var> argument passed to one of these methods does
-  not contain the exact literal string "<code>%s</code>", or if <span
-  title="resolve a url">resolving</span> the <var title="">url</var>
-  argument with the first occurrence of the string "<code
-  title="">%s</code>" removed, relative to the <span>entry
-  script</span>'s <span title="script's base URL">base URL</span>, is
-  not successful.</p>
-
-  <p>User agents must not raise any other exceptions (other than
-  binding-specific exceptions, such as for an incorrect number of
-  arguments in an JavaScript implementation).</p>
-
   <p>This section does not define how the pages registered by these
   methods are used, beyond the requirements on how to process the <var
   title="">url</var> value (see above). To some extent, the <span
@@ -111509,6 +111557,50 @@
 <!--START w3c-html--><!--PING-->
 
 
+  <h3><dfn title="scheme-web"><code>web+</code> scheme prefix</dfn></h3>
+
+  <p>This section describes a convention for use with the IANA URI
+  scheme registry. It does not itself register a specific scheme. <a
+  href="#refsRFC4395">[RFC4395]</a></p>
+
+  <dl>
+   <dt>URI scheme name</dt>
+   <dd>
+    Schemes starting with the four characters "<code
+    title="">web+</code>" followed by one or more letters in the range
+    <code title="">a</code>-<code title="">z</code>.
+   </dd>
+   <dt>Status</dt>
+   <dd>permanent</dd>
+   <dt>URI scheme syntax</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>URI scheme semantics</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>Encoding considerations</dt>
+   <dd>All "<code title="">web+</code>" schemes should use UTF-8 encodings were relevant.</dd>
+   <dt>Applications/protocols that use this URI scheme name</dt>
+   <dd>Scheme-specific.</dd>
+   <dt>Interoperability considerations</dt>
+   <dd>The scheme is expected to be used in the context of Web applications.</dd>
+   <dt>Security considerations</dt>
+   <dd>
+    Any Web page is able to register a handler for all "<code
+    title="">web+</code>" schemes. As such, these schemes must not be
+    used for features intended to be core platform features (e.g.
+    network transfer protocols like HTTP or FTP). Similarly, such
+    schemes must not store confidential information in their URLs,
+    such as usernames, passwords, personal information, or
+    confidential project names.
+   </dd>
+   <dt>Contact</dt>
+   <dd>Ian Hickson <ian at hixie.ch></dd>
+   <dt>Author/Change controller</dt>
+   <dd>Ian Hickson <ian at hixie.ch></dd>
+   <dt>References</dt>
+   <dd>W3C</dd>
+  </dl>
+
+
   <h2 id="index" class="no-num">Index</h2>
 
   <div class="impl">
@@ -115934,6 +116026,9 @@
    Layer Security (TLS) Extensions</a></cite>, S. Blake-Wilson,
    M. Nystrom, D. Hopwood, J. Mikkelsen, T. Wright. IETF.</dd>
 
+   <dt id="refsRFC4395">[RFC4395]</dt>
+   <dd><cite><a href="http://tools.ietf.org/html/rfc4395">Guidelines and Registration Procedures for New URI Schemes</a></cite>, T. Hansen, T. Hardie, L. Masinter. IETF.</dd>
+
    <dt id="refsRFC4648">[RFC4648]</dt>
    <dd><cite><a href="http://tools.ietf.org/html/rfc4648">The Base16,
    Base32, and Base64 Data Encodings</a></cite>, S. Josefsson.
@@ -116474,6 +116569,7 @@
   James Craig,
   James Graham,
   James Justin Harrell,
+  James Kozianski,
   James M Snell,
   James Perrett,
   James Robinson,
@@ -116779,6 +116875,7 @@
   Wayne Pollock,
   Wellington Fernando de Macedo,
   Weston Ruter,
+  Wilhelm Joys Andersen,
   Will Levine,
   William Swanson,
   Wladimir Palant,




More information about the Commit-Watchers mailing list