[whatwg] Blacklist for regsiterProtocolHandler()
Lachlan Hunt
lachlan.hunt at lachy.id.au
Tue Apr 19 11:11:44 PDT 2011
On 2011-04-19 19:33, Ian Hickson wrote:
> On Tue, 12 Apr 2011, Lachlan Hunt wrote:
>>
>> We are investigating registerProtocolHandler and have been discussing
>> the need for a blacklist of protocols to forbid.
>>
>> [...]
>>
>> We'd like to know if we've missed any important schemes that must be
>> blocked, and we think it might be useful if the spec listed most of
>> those, except for the vendor specific schemes, which should probably be
>> left up to each vendor to worry about.
>
> I haven't updated the spec yet, but it strikes me that maybe what we
> should do instead is have a whitelist of protocols we definitely want to
> allow (e.g. mailto:), and define a common prefix for protocols that are
> used with this feature, in a similar way to how with XHR we've added Sec-*
> as a list of headers _not_ to support.
Other protocols we should probably also whitelist:
irc, sms, smsto, tel.
I'm also curious how we could handle ISBN URNs, like:
urn:isbn:0-395-36341-1
That would be useful to have a web service that could look up the ISBN
and direct users to information about the book, or to an online store.
As currently specified, services have to register a handler for "urn",
even if they only handle ISBN URNs. The other alternative would be to
mint a new web+isbn scheme, which seems suboptimal.
> So e.g. we could whitelist any protocol starting with "web+" and then
> register that as a common extension point for people inventing protocols
> for use with this feature, so that people writing OS-native apps would
> know that if they used a protocol with that prefix it's something that any
> web site could try to take over.
That seems reasonable.
--
Lachlan Hunt - Opera Software
http://lachy.id.au/
http://www.opera.com/
More information about the whatwg
mailing list