[html5] r7323 - [e] (0) Explain why gopher isn't on the list Fixing https://www.w3.org/Bugs/Publ [...]

[whatwg at whatwg.org]

Author: ianh
Date: 2012-09-06 08:49:21 -0700 (Thu, 06 Sep 2012)
New Revision: 7323

Modified:
   complete.html
   index
   source
Log:
[e] (0) Explain why gopher isn't on the list
Fixing https://www.w3.org/Bugs/Public/show_bug.cgi?id=16099
Affected topics: DOM APIs

Modified: complete.html
===================================================================
--- complete.html	2012-09-06 15:38:36 UTC (rev 7322)
+++ complete.html	2012-09-06 15:49:21 UTC (rev 7323)
@@ -76853,6 +76853,16 @@
     </ul><p class=note>This list can be changed. If there are schemes
     that should be added, please send feedback.</p>
 
+    <p class=note>This list excludes any schemes that could
+    reasonably be expected to be supported inline, e.g. in an
+    <code><a href=#the-iframe-element>iframe</a></code>, such as <code title="">http</code> or (more
+    theoretically) <code title="">gopher</code>. If those were
+    supported, they could potentially be used in man-in-the-middle
+    attacks, by replacing pages that have frames with such content
+    with content under the control of the protocol handler. If the
+    user agent has native support for the schemes, this could further
+    be used for cookie-theft attacks.</p>
+
    </dd>
 
    <dt><var title="">mimeType</var> (<code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code> only)</dt>

Modified: index
===================================================================
--- index	2012-09-06 15:38:36 UTC (rev 7322)
+++ index	2012-09-06 15:49:21 UTC (rev 7323)
@@ -76853,6 +76853,16 @@
     </ul><p class=note>This list can be changed. If there are schemes
     that should be added, please send feedback.</p>
 
+    <p class=note>This list excludes any schemes that could
+    reasonably be expected to be supported inline, e.g. in an
+    <code><a href=#the-iframe-element>iframe</a></code>, such as <code title="">http</code> or (more
+    theoretically) <code title="">gopher</code>. If those were
+    supported, they could potentially be used in man-in-the-middle
+    attacks, by replacing pages that have frames with such content
+    with content under the control of the protocol handler. If the
+    user agent has native support for the schemes, this could further
+    be used for cookie-theft attacks.</p>
+
    </dd>
 
    <dt><var title="">mimeType</var> (<code title=dom-navigator-registerContentHandler><a href=#dom-navigator-registercontenthandler>registerContentHandler()</a></code> only)</dt>

Modified: source
===================================================================
--- source	2012-09-06 15:38:36 UTC (rev 7322)
+++ source	2012-09-06 15:49:21 UTC (rev 7323)
@@ -89834,6 +89834,16 @@
     <p class="note">This list can be changed. If there are schemes
     that should be added, please send feedback.</p>
 
+    <p class="note">This list excludes any schemes that could
+    reasonably be expected to be supported inline, e.g. in an
+    <code>iframe</code>, such as <code title="">http</code> or (more
+    theoretically) <code title="">gopher</code>. If those were
+    supported, they could potentially be used in man-in-the-middle
+    attacks, by replacing pages that have frames with such content
+    with content under the control of the protocol handler. If the
+    user agent has native support for the schemes, this could further
+    be used for cookie-theft attacks.</p>
+
    </dd>
 
    <dt><var title="">mimeType</var> (<code title="dom-navigator-registerContentHandler">registerContentHandler()</code> only)</dt>