[whatwg] Blacklist for regsiterProtocolHandler()

Lachlan Hunt lachlan.hunt at lachy.id.au
Tue Apr 19 11:11:44 PDT 2011

On 2011-04-19 19:33, Ian Hickson wrote:
> On Tue, 12 Apr 2011, Lachlan Hunt wrote:
>> We are investigating registerProtocolHandler and have been discussing
>> the need for a blacklist of protocols to forbid.
>> [...]
>> We'd like to know if we've missed any important schemes that must be
>> blocked, and we think it might be useful if the spec listed most of
>> those, except for the vendor specific schemes, which should probably be
>> left up to each vendor to worry about.
> I haven't updated the spec yet, but it strikes me that maybe what we
> should do instead is have a whitelist of protocols we definitely want to
> allow (e.g. mailto:), and define a common prefix for protocols that are
> used with this feature, in a similar way to how with XHR we've added Sec-*
> as a list of headers _not_ to support.

Other protocols we should probably also whitelist:

irc, sms, smsto, tel.

I'm also curious how we could handle ISBN URNs, like:


That would be useful to have a web service that could look up the ISBN 
and direct users to information about the book, or to an online store.

As currently specified, services have to register a handler for "urn", 
even if they only handle ISBN URNs.  The other alternative would be to 
mint a new web+isbn scheme, which seems suboptimal.

> So e.g. we could whitelist any protocol starting with "web+" and then
> register that as a common extension point for people inventing protocols
> for use with this feature, so that people writing OS-native apps would
> know that if they used a protocol with that prefix it's something that any
> web site could try to take over.

That seems reasonable.

Lachlan Hunt - Opera Software

More information about the whatwg mailing list