[whatwg] Disallowing dots in the protocol argument of registerProtocolHandler()
Aryeh Gregor
Simetrical+w3c at gmail.com
Thu Apr 21 12:16:03 PDT 2011
On Tue, Apr 19, 2011 at 9:51 AM, Wilhelm Joys Andersen
<wilhelmja at opera.com> wrote:
> . . .
> After running the lines of script above, typing any of the
> following URLs will lead the user to evilsite.tld:
>
> mail.google.com:80/mail/
> 192.168.1.1:80
> . . .
> To save ourselves (and our users) from possible future headaches,
> we have decided to disallow the use of dots in the protocol argument
> of registerProtocolHandler().
It was pointed out on IRC
<http://krijnhoetmer.nl/irc-logs/whatwg/20110415#l-734> that it would
make sense to also ban the string "localhost", as the only common
domain name that contains no dots.
More information about the whatwg
mailing list