[whatwg] Registering protocol handlers

Ian Hickson ian at hixie.ch
Mon Apr 24 00:57:36 PDT 2006 

On Sat, 22 Apr 2006, Christian Biesinger wrote:
> >
> > They can't be checked at the registration point, because the URI might 
> > become valid before it is used, and because the networking library 
> > might not be able to tell if the URI is valid without fetching it. 
> > (It's also not really clear where you draw the line of an "invalid" 
> > URI -- is http://192.0.2.812/ an invalid URI?)
> 
> Oh, our interpretation of "valid" is different, obviously :) The way I 
> used it an invalid URI would never become valid. I meant it 
> syntactically only.

So, like, the address in the following HTML:

   <button onclick="
     navigater.registerContentHandler('http://www.example.com/é', ...);
   "/>

...would be invalid? Or not? That changed when the IRI spec came out. I'm 
not sure you can guarentee that a URI will always be invalid.


> Anyway, I wonder if it's worth mentioning that malformed URIs should 
> never cause an exception to be thrown? (other than lack of %s of course)

Added.


> > > BTW... shouldn't sites have the possibility to unregister 
> > > themselves? I as a user would expect a site that has a "register me" 
> > > button to also have an "unregister me" button.
> > 
> > I would presume the UA would provide this option, not the page. 
> > (Similarly, you don't have a Web API to remove a search engine, only 
> > to add one.)
> 
> Sure, the UA should have that as well. But it feels to me that the page 
> should also have it. This API is more likely than the search engine case 
> to register pages that require having an account (e.g. subscribe to a 
> feed, import a .ics file, send an email (mailto:foo at bar)). Wouldn't it 
> be nice if the page could unregister itself when the user deletes their 
> account?

I don't know, would it? I don't see the use case. Why would, e.g., Flickr, 
ever unregister itself as an image/x-flickr handler? (The only theoretical 
case I can see, namely the site changing its server location, seems like a 
bad reason -- you should always support the old location, good URIs don't 
change.)


> Hm... actually it's possible that we have differing ideas of how the UI 
> will look. I am imagining that there will be an option for the user to 
> always open that protocol/content type with the specified URL. If this 
> is done during registration, where would you as a user expect to 
> unregister the URL again? Where you registered it, I would say.

I think that would be a very dangerous option. But in any case, consider 
the case for a download today -- you can set the default to always be a 
particular app when you download a file, so how do you change the default? 
IMHO it would be in the same place.


> But, I don't feel strongly on this point. If this doesn't convince you, 
> I'm fine with that :)

I think we should wait until we have more experience before adding the 
unregister feature. Adding features is reasonably easy. Removing them is 
near-impossible.


> I do suspect that this will lead to inconsistent UI. Some files will go 
> to the registered URL, some to the pre-existing handler (local app or 
> something). The user may have no idea why.

The same could be said today for clicking on a link. I'm all for making 
this better, but I don't see what the spec can do to help.


> > This seems equivalent to what is currently in the spec -- the spec 
> > already says that when the UA uses the given URI, it must do so in a 
> > particular way. I've added some minor text to reference that more 
> > explicitly in the paragraph you mention.
> 
> To me, "User agents may do whatever they like" means that there are no 
> restrictions. It sounds to me like they can ignore everything that was 
> said before. I guess leave this as-is if you don't think people will 
> read it that way.

Clearly people will, if you did. :-)

I've changed it to:

   User agents may, within the constraints described in this
   seciton, do whatever they like [...]


> > > - The request may have required certain cookies
> > > - The request may have required certain authentication headers
> > > - The request may only be possible from certain IP ranges
> > 
> > In other words, the content might be privileged -- in which case you
> > definitely don't want to send it to a remote site!
> 
> No, you may still want to send it to a remote site. Consider this: A 
> university's information system may allow exporting a student's courses 
> for a semester as an ICS file. A user may well not mind sending that ics 
> file to Google Calendar, but accessing that export functionality does 
> require authentication of course.

I think for this case the university should either offer a "private" URI 
that can be forwarded to the remote site (much like how Google Calendar 
has a "private URI" for your ICS file), or the user should download the 
file, go to the other site, and upload it.


> > Leaking intranet URIs is a lot less dangerous than leaking intranet 
> > _content_, though.
> 
> Yeah. That's true.
> 
> > No, it doesn't require anything. The spec doesn't say when you use 
> > this --
> 
> Convenient, isn't it?
>
> > in particular, it doesn't say you should use these options for the 
> > result of non-GET or authenticated requests. It even says that maybe 
> > you _shouldn't_ use it for authenticated requests, and I've now added 
> > a sentence that says you musn't use it for non-GET resources.
> 
> Again, I fear this will lead to inconsistent UI. That you don't say when 
> it should be used is also not ideal, but I guess unavoidable as you 
> don't want to require a certain UI.

I don't see how we can require a certain UI. User Interface is how 
browsers differentiate from each other.


> Let me ask you: Does a spec with this many unspecified details satisfy 
> you?

Yes, I wouldn't have written it otherwise. :-) This is not a UI spec -- 
this is a spec that is to ensure one thing and one thing only, namely that 
the same basic feature can be offered for any browser without having to 
browser-sniff.

Specs don't say how, e.g., <select> elements should work, other than the 
fact that they should offer certain options. Whether it's control-click or 
command-click or whether it's a drop down or a list or whether it's a 
pop-up, is all up to the UA. You can't require a particular UI, because 
some applications (e.g. EmacsSpeak) have radically different UIs than 
others (e.g. Opera on a cell phone).


> > The main use cases I see here are for feeds, and for those you 
> > definitely want to send the URI. Same with, e.g., an iCalendar feed.
> 
> Maybe. The iCalendar file in question may not be something that changes 
> though. It seems to me like this is useful only for very few use cases, 
> limited basically to feeds.
> 
> I'm not happy with registerContentHandler at all.

I'm not sure how to address your issues. What text would you like to see 
be added to the spec?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list