[whatwg] Blacklist for regsiterProtocolHandler()
lachlan.hunt at lachy.id.au
Tue Apr 19 11:11:44 PDT 2011
On 2011-04-19 19:33, Ian Hickson wrote:
> On Tue, 12 Apr 2011, Lachlan Hunt wrote:
>> We are investigating registerProtocolHandler and have been discussing
>> the need for a blacklist of protocols to forbid.
>> We'd like to know if we've missed any important schemes that must be
>> blocked, and we think it might be useful if the spec listed most of
>> those, except for the vendor specific schemes, which should probably be
>> left up to each vendor to worry about.
> I haven't updated the spec yet, but it strikes me that maybe what we
> should do instead is have a whitelist of protocols we definitely want to
> allow (e.g. mailto:), and define a common prefix for protocols that are
> used with this feature, in a similar way to how with XHR we've added Sec-*
> as a list of headers _not_ to support.
Other protocols we should probably also whitelist:
irc, sms, smsto, tel.
I'm also curious how we could handle ISBN URNs, like:
That would be useful to have a web service that could look up the ISBN
and direct users to information about the book, or to an online store.
As currently specified, services have to register a handler for "urn",
even if they only handle ISBN URNs. The other alternative would be to
mint a new web+isbn scheme, which seems suboptimal.
> So e.g. we could whitelist any protocol starting with "web+" and then
> register that as a common extension point for people inventing protocols
> for use with this feature, so that people writing OS-native apps would
> know that if they used a protocol with that prefix it's something that any
> web site could try to take over.
That seems reasonable.
Lachlan Hunt - Opera Software
More information about the whatwg