[whatwg] Whitelist for registerProtocolHandler()
rektide
rektide at voodoowarez.com
Thu Jun 9 12:35:17 PDT 2011
I just got wind of Ian Hixie's comments in reply to a thread on blacklists for
registerProtocolHandler[1]. In it, he proposes a whitelist of
/^web\+.[:somethingorother:]+/.
First, forgive me for creating a new thread on this topic — i would rather have replied to
the thread but do not know how to find the mail headers i would need to construct that
mailing — but I do wish to register issuance with this proposal. Ian mentions 'that
people writing OS-native apps would know that if they used a protocol with that prefix it's
something that any web site could try to take over', but this has some issues:
1. The current use case for registerProtocolHandler is intra-page. For one example, here's
the MDC docs:
"Note: Web sites may only register protocol handlers for themselves. For security reasons,
it's not possible for an extension or web site to register protocol handlers targeting other
sites."
2. Someone who wishes to register a 'web' protocol for their own usage ought be forced to
consider that this protocol may not necessarily remain in their own purview.
3. It forces syntactical cruft upon people wishing to exercise this capability, and that
cruft makes website handled protocols less likely to be used, to look cheap, and to be
regarded as second class citizen of the protocol world. Tim Bray has already lamented
enforcing the // upon the world, and if web+ protocols take off this will exacerbate his two
character mistake by another four oh-so-valuable characters. We ought not double the
obvious + preventable mistakes of the past.
4. Whitelisting seems fundamentally 'anti-web' by enforcing only what is out there already.
I strongly support the notion that web pages ought be able to provide their own content &
protocol handlers — especially in an OS native fashion — and it strikes me as unweildy to
place this ^web\+[:soo:]+ restriction on this extension point. Personally, I think it is
very high priority to reconsider Ian's informal decree (which has since been pressed into
service in WebKit[2]), and formalize concensus around this issue.
Regards, & wish & asking of forgivence for not having left lurk-mode in a happier fashion--
M. "rektide" Fowle
[1] http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-April/031294.html
[2] http://trac.webkit.org/changeset/87459
More information about the whatwg
mailing list