[whatwg] Blacklist for regsiterProtocolHandler()

timeless timeless at gmail.com
Mon Apr 18 13:39:37 PDT 2011


On Tue, Apr 12, 2011 at 5:18 PM, Lachlan Hunt <lachlan.hunt at lachy.id.au> wrote:
>  We are investigating registerProtocolHandler and have been discussing the
> need for a blacklist of protocols to forbid.
>
> Our list currently includes:
> * http:
> * https:
> * ftp:
> * file:
>
> * about:
> * data:
>
> Email specific schemes:
> * cid:
> * mid:
>
> Scripting schemes:
> * javascript:
> * vbscript:
>
> Ancient Netscape scripting schemes. some were apparently aliases for
> javascript:
> * mocha:
> * livescript:
> * livewire:
> * tcl:
>
> Also, implementers need to be take care with vendor specific schemes:
> * chrome: (Mozilla, Chrome)
> * view-source: (Mozilla, Chrome)
> * res: (IE)
> * resource: (Mozilla)
> * opera: (Opera)
> * attachment: (Opera)
> (This list is probably incomplete)
>
> We'd like to know if we've missed any important schemes that must be
> blocked, and we think it might be useful if the spec listed most of those,
> except for the vendor specific schemes, which should probably be left up to
> each vendor to worry about.

possibly "mthml:" (Windows)

I should go fish for a list sometime. Poke me in two weeks?


More information about the whatwg mailing list