[whatwg] AppCache online whitelist wildcard bypasses restriction on scheme
Ian Hickson
ian at hixie.ch
Thu Aug 13 17:29:08 PDT 2009
On Wed, 5 Aug 2009, Jenn Braithwaite (è~C¡æ~E§é~K~R) wrote:
>
> In the AppCache section of the HTML5 spec, the new wildcard value '*'
> for the online whitelist section allows one to 'whitelist all'
> regardless of scheme. However, the spec requires a URL in the online
> whitelist section to have the same scheme as the manifest URL. Seems
> like the new wildcard feature has created a mismatch in whether the
> scheme should be restricted.
>
> Should the scheme restriction be consistent regardless of wildcard value
> vs explicitly listed URL?
I've changed the model to so that any resourcs that aren't in the same
scheme are automatically in the online whitelist, whether "*" is specified
or not.
I think the scheme restrictions were always intended to work this way
(i.e. always intended as a way to make it impossible to cache mailto:
URIs, and things like that, and always intended to not block cross-scheme
networking), but it seems it was only half-baked before.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list