[html5] r8555 - [giow] (3) Be more explicit about handing off to external software during naviga [...]

whatwg at whatwg.org whatwg at whatwg.org
Wed Mar 19 15:01:42 PDT 2014 

Author: ianh
Date: 2014-03-19 15:01:39 -0700 (Wed, 19 Mar 2014)
New Revision: 8555

Modified:
   complete.html
   index
   source
Log:
[giow] (3) Be more explicit about handing off to external software during navigation.
Affected topics: HTML

Modified: complete.html
===================================================================
--- complete.html	2014-03-18 18:36:16 UTC (rev 8554)
+++ complete.html	2014-03-19 22:01:39 UTC (rev 8555)
@@ -298,7 +298,7 @@
 
   <header class=head id=head><p><a href=http://www.whatwg.org/ class=logo><img width=101 src=/images/logo alt=WHATWG height=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 18 March 2014</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 19 March 2014</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -67988,8 +67988,8 @@
 
    <li><p>If the new resource is to be handled using a mechanism that does not affect the browsing
    context, e.g. ignoring the navigation request altogether because the specified scheme is not one
-   of the supported protocols, then abort these steps and proceed with that mechanism
-   instead.</li>
+   of the supported protocols, then abort these steps and <a href=#hand-off-to-external-software title="hand-off to external
+   software">proceed with that mechanism instead</a>.</li>
 
    <li>
 
@@ -68453,10 +68453,21 @@
 
    <li><p>Otherwise, the document's <var title="">type</var> is such that the resource will not
    affect the browsing context, e.g. because the resource is to be handed to an external application
-   or because it is an unknown type that will be processed <a href=#as-a-download>as a download</a>. Process the
-   resource appropriately.</p>
+   or because it is an unknown type that will be processed <a href=#as-a-download>as a download</a>. <a href=#hand-off-to-external-software title="hand-off to external software">Process the resource appropriately</a>.</p>
 
-  </ol><hr><p>Some of the sections below, to which the above algorithm defers in certain cases, require the
+  </ol><p>When a resource is handled by <dfn id=hand-off-to-external-software title="hand-off to external software">passing its URL or
+  data to an external software package</dfn> separate from the user agent (e.g. handing a <code title="">mailto:</code> URL to a mail client, or a Word document to a word processor), user
+  agents should attempt to mitigate the risk that this is an attempt to exploit the target software,
+  e.g. by prompting the user to confirm that the <a href=#source-browsing-context>source browsing context</a>'s <a href=#active-document>active
+  document</a>'s <a href=#origin>origin</a> is to be allowed to invoke the specified software. In
+  particular, if the <a href=#navigate>navigate</a> algorithm, when it was invoked, was not <a href=#allowed-to-show-a-popup>allowed to
+  show a popup</a>, the user agent should not invoke the external software package without prior
+  user confirmation.</p>
+
+  <p class=example>For example, there could be a vulnerability in the target software's URL
+  handler which a hostile page would attempt to exploit by tricking a user into clicking a link.</p>
+
+  <hr><p>Some of the sections below, to which the above algorithm defers in certain cases, require the
   user agent to <dfn id=update-the-session-history-with-the-new-page>update the session history with the new page</dfn>. When a user agent is
   required to do this, it must <a href=#queue-a-task>queue a task</a> (associated with the <code><a href=#document>Document</a></code>
   object of the <a href=#current-entry>current entry</a>, not the new one) to run the following steps:</p>
@@ -104659,6 +104670,7 @@
   Lobotom Dysmon,
   Logan<!-- on moz irc -->,
   Loune,
+  Łukasz Pilorz,
   Luke Kenneth Casson Leighton,
   Maciej Stachowiak,
   Magnus Kristiansen<!-- Dashiva -->,

Modified: index
===================================================================
--- index	2014-03-18 18:36:16 UTC (rev 8554)
+++ index	2014-03-19 22:01:39 UTC (rev 8555)
@@ -298,7 +298,7 @@
 
   <header class=head id=head><p><a href=http://www.whatwg.org/ class=logo><img width=101 src=/images/logo alt=WHATWG height=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 18 March 2014</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 19 March 2014</h2>
    </hgroup><dl><dt><strong>Web developer edition:</strong></dt>
     <dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
     <dt>Multiple-page version:</dt>
@@ -67988,8 +67988,8 @@
 
    <li><p>If the new resource is to be handled using a mechanism that does not affect the browsing
    context, e.g. ignoring the navigation request altogether because the specified scheme is not one
-   of the supported protocols, then abort these steps and proceed with that mechanism
-   instead.</li>
+   of the supported protocols, then abort these steps and <a href=#hand-off-to-external-software title="hand-off to external
+   software">proceed with that mechanism instead</a>.</li>
 
    <li>
 
@@ -68453,10 +68453,21 @@
 
    <li><p>Otherwise, the document's <var title="">type</var> is such that the resource will not
    affect the browsing context, e.g. because the resource is to be handed to an external application
-   or because it is an unknown type that will be processed <a href=#as-a-download>as a download</a>. Process the
-   resource appropriately.</p>
+   or because it is an unknown type that will be processed <a href=#as-a-download>as a download</a>. <a href=#hand-off-to-external-software title="hand-off to external software">Process the resource appropriately</a>.</p>
 
-  </ol><hr><p>Some of the sections below, to which the above algorithm defers in certain cases, require the
+  </ol><p>When a resource is handled by <dfn id=hand-off-to-external-software title="hand-off to external software">passing its URL or
+  data to an external software package</dfn> separate from the user agent (e.g. handing a <code title="">mailto:</code> URL to a mail client, or a Word document to a word processor), user
+  agents should attempt to mitigate the risk that this is an attempt to exploit the target software,
+  e.g. by prompting the user to confirm that the <a href=#source-browsing-context>source browsing context</a>'s <a href=#active-document>active
+  document</a>'s <a href=#origin>origin</a> is to be allowed to invoke the specified software. In
+  particular, if the <a href=#navigate>navigate</a> algorithm, when it was invoked, was not <a href=#allowed-to-show-a-popup>allowed to
+  show a popup</a>, the user agent should not invoke the external software package without prior
+  user confirmation.</p>
+
+  <p class=example>For example, there could be a vulnerability in the target software's URL
+  handler which a hostile page would attempt to exploit by tricking a user into clicking a link.</p>
+
+  <hr><p>Some of the sections below, to which the above algorithm defers in certain cases, require the
   user agent to <dfn id=update-the-session-history-with-the-new-page>update the session history with the new page</dfn>. When a user agent is
   required to do this, it must <a href=#queue-a-task>queue a task</a> (associated with the <code><a href=#document>Document</a></code>
   object of the <a href=#current-entry>current entry</a>, not the new one) to run the following steps:</p>
@@ -104659,6 +104670,7 @@
   Lobotom Dysmon,
   Logan<!-- on moz irc -->,
   Loune,
+  Łukasz Pilorz,
   Luke Kenneth Casson Leighton,
   Maciej Stachowiak,
   Magnus Kristiansen<!-- Dashiva -->,

Modified: source
===================================================================
--- source	2014-03-18 18:36:16 UTC (rev 8554)
+++ source	2014-03-19 22:01:39 UTC (rev 8555)
@@ -75804,8 +75804,8 @@
 
    <li><p>If the new resource is to be handled using a mechanism that does not affect the browsing
    context, e.g. ignoring the navigation request altogether because the specified scheme is not one
-   of the supported protocols, then abort these steps and proceed with that mechanism
-   instead.</p></li>
+   of the supported protocols, then abort these steps and <span data-x="hand-off to external
+   software">proceed with that mechanism instead</span>.</p></li>
 
    <li>
 
@@ -76318,11 +76318,24 @@
 
    <li><p>Otherwise, the document's <var data-x="">type</var> is such that the resource will not
    affect the browsing context, e.g. because the resource is to be handed to an external application
-   or because it is an unknown type that will be processed <span>as a download</span>. Process the
-   resource appropriately.</p>
+   or because it is an unknown type that will be processed <span>as a download</span>. <span
+   data-x="hand-off to external software">Process the resource appropriately</span>.</p>
 
   </ol>
 
+  <p>When a resource is handled by <dfn data-x="hand-off to external software">passing its URL or
+  data to an external software package</dfn> separate from the user agent (e.g. handing a <code
+  data-x="">mailto:</code> URL to a mail client, or a Word document to a word processor), user
+  agents should attempt to mitigate the risk that this is an attempt to exploit the target software,
+  e.g. by prompting the user to confirm that the <span>source browsing context</span>'s <span>active
+  document</span>'s <span>origin</span> is to be allowed to invoke the specified software. In
+  particular, if the <span>navigate</span> algorithm, when it was invoked, was not <span>allowed to
+  show a popup</span>, the user agent should not invoke the external software package without prior
+  user confirmation.</p>
+
+  <p class="example">For example, there could be a vulnerability in the target software's URL
+  handler which a hostile page would attempt to exploit by tricking a user into clicking a link.</p>
+
   <hr>
 
   <p>Some of the sections below, to which the above algorithm defers in certain cases, require the
@@ -116892,6 +116905,7 @@
   Lobotom Dysmon,
   Logan<!-- on moz irc -->,
   Loune,
+  &#x0141;ukasz Pilorz,
   Luke Kenneth Casson Leighton,
   Maciej Stachowiak,
   Magnus Kristiansen<!-- Dashiva -->,

More information about the Commit-Watchers mailing list