[whatwg] Application deployment

Kristof Zelechovski giecrilj at stegny.2a.pl
Mon Jul 28 01:22:51 PDT 2008

Having this URL monster shipped does not preclude replacing it with a more
logical one and deprecating the original one.  People make mistakes all the
time and fortunately there are cases where the harm can be undone.
(It is not about withdrawing the support for JAR archives but about changing
the URL notation for accessing their content).  Perhaps the new notation
could even make it into HTML?
Of course this means that the way relative locators inside an archived
document are handled must be changed (they should apply to the fragment and
not to the archive path); it should not be possible to escape an archive
following relative hyperlinks.  
It should also be noted that such an archive has a flat file system (only
one directory with files tagged with relative paths rather then plain names)
whereas the HTTP path component addresses a hierarchical file system with
true directories.  It can cause relative hyperlinks to break when archiving
an existing directory.

-----Original Message-----
From: adam at adambarth.com [mailto:adam at adambarth.com] On Behalf Of Adam Barth
Sent: Monday, July 28, 2008 9:55 AM
To: Kristof Zelechovski
Cc: Philipp Serafin; whatwg at whatwg.org; Russell Leggett
Subject: Re: [whatwg] Application deployment

On Sun, Jul 27, 2008 at 11:55 PM, Kristof Zelechovski
<giecrilj at stegny.2a.pl> wrote:
> <jar:http://www.example.com/site.jar!/path/inside/foo.html>?
> What kind of a syntax is that??  JAR is not a protocol, it is a content
> type.

In Firefox, jar is a protocol that means retrieve the enclosed URL,
unzip the contents, and look for the path after the "!".  I suspect
the reason the Firefox developers chose ! to separate the URL to the
JAR from the path within the JAR is that ! is not a valid URL

> It should rather be
> <http://www.example.com/site.jar#path/inside/foo.html>.  It reads:
> the resource "site.jar" using the HTTP protocol and look into it for the
> fragment "foo.html".  I do not know how to read the original notation and
> think it should be withdrawn.

Withdrawn from what?  This feature has already shipped in a number of
versions of Firefox.  The main value of using the packaged archive is
that the content author can sign the archive.  For example, this is
the mechanism used for Firefox extensions.

My guess is this mechanism will not be included in HTML 5 because some
of the other browser vendors have expressed their distaste for nested
URL schemes.

> Chris
> -----Original Message-----
> From: whatwg-bounces at lists.whatwg.org
> [mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Adam Barth
> Sent: Sunday, July 27, 2008 11:33 PM
> To: Philipp Serafin
> Cc: whatwg at whatwg.org; Russell Leggett
> Subject: Re: [whatwg] Application deployment
> Firefox already implements this today with the jar protocol.  Put your
> content into a zip archive and access it using this kind of URL:
> jar:http://www.example.com/site.jar!/path/inside/foo.html
> I'm not sure many sites use this feature, but it has been a source of
> several recent security issues.
> Adam

More information about the whatwg mailing list