[whatwg] Blacklist for regsiterProtocolHandler()

Lachlan Hunt lachlan.hunt at lachy.id.au
Tue Apr 12 07:18:06 PDT 2011

   We are investigating registerProtocolHandler and have been discussing 
the need for a blacklist of protocols to forbid.

Our list currently includes:
* http:
* https:
* ftp:
* file:

* about:
* data:

Email specific schemes:
* cid:
* mid:

Scripting schemes:
* javascript:
* vbscript:

Ancient Netscape scripting schemes. some were apparently aliases for 
* mocha:
* livescript:
* livewire:
* tcl:

Also, implementers need to be take care with vendor specific schemes:
* chrome: (Mozilla, Chrome)
* view-source: (Mozilla, Chrome)
* res: (IE)
* resource: (Mozilla)
* opera: (Opera)
* attachment: (Opera)
(This list is probably incomplete)

We'd like to know if we've missed any important schemes that must be 
blocked, and we think it might be useful if the spec listed most of 
those, except for the vendor specific schemes, which should probably be 
left up to each vendor to worry about.

Lachlan Hunt - Opera Software

More information about the whatwg mailing list