Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Ian Hickson]

On Thu, 30 May 2013, chris cargile wrote:

 there seems to be a limitation that either registerProtocolHanlder() 
 takes GET requests but not POST requests

Since you are only ever sent a URL, this seems like the appropriate kind 
of request, no?

On Thu, 30 May 2013, chris cargile wrote:

 https://www.w3.org/Bugs/Public/show_bug.cgi?id=22022. 

I don't really understand the problem here. Can you elaborate? What 
problem are you trying to resolve?

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

[whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[chris cargile]

in case the associated thread of messages for this subject are not referenced 
by pipermail via this post's title, I wanted to link to them 
here-http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-September/023084.html.
I'm writing to discuss/obtain clarification regarding a post that was intended 
to serve as a suggestion from me (which is filed in the w3c system, perhaps 
primarily aimed at identifying bugs) to avoid any loss of momentum and 
hopefully reach the relevant,target audience.
In my w3c suggestion(/bug?) post I described - similar to as voiced in the 
older thread- that there seems to be a limitation that either 
registerProtocolHanlder() takes GET requests but not POST requests or perhaps 
Gmail  --- as a UA seems to..
To properly route this, I hope you'll help me to understand whether using POST 
in conjunction with mailto:/gmail(-UA) is a w3c concern or a gmail-team 
concern, so I can begin helping shape the web with you!
Thanks for helping,Chris



  

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Ian Hickson]

On Mon, 5 Oct 2009, Michael A. Puls II wrote:
  
   3. URI to a help page where the site explains how it makes uses of 
   registerProtocolHandler and gives help and support contacts etc.
  
  The UA can already keep track of the page from which the user 
  registered the handler, which seems suitable.
 
 O.K., there can be some guidelines/tutorials that recommend that the 
 page that registers the handler is also the help page so that UAs can 
 use that info if needed. It could also be recommended in such a tutorial 
 that the page should use the desired favicon so UAs can use it if they 
 want (and how they want and with what restrictions they want)

This is the kind of thing for which implementation experience will be 
particularly useful.


   4. Whether to use POST instead of GET.
  
  Always use GET. You're only sending a URL anyway.
 
 But, with POST you can send longer data (depending on the server and its 
 config). Since %s is a percent-encoded version of data that's usually 
 already percent-encoded (in parts of the URI), a lot of that length is 
 lost in just percent-encoding (lots of %2525s for example).

How long a URL are you expecting people to be using with this?? I rarely 
see 4K URLs when downloading files or following mailto: URLs!


 Also, the devs for one webmail even prefer POST data as they said that 
 it's less revealing when submitting through a proxy. But, I never 
 validated that.

If they care about the privacy of their users, they should use TLS.


   Finally, it's unfortunate that registerProtocolHandler can't 
   optionally support a custom format string for the second argument 
   and a format argument that's a function that gets the URI the user 
   clicked on passed to it.
  
  Why can't the server just do that server-side? That way it doesn't 
  have to worry about updating clients later if it wants to support more 
  features.
 
 I'm not saying they can't. More like, I'm saying they won't or cannot in 
 a timely manner and that there's a better chance of support if they 
 don't have to change their server-side scripts and can just use a little 
 JS.

I think it's unrealistic to expect that an application provider would have 
more trouble updating a server-side script than it would be to expect the 
same application provider to update the JS of all its clients' 
configurations.


 Also, with your user hat on, you should see why it'd be great to have a 
 standardized function to do customize handling yourself to workaround 
 lack of support for %s.

As a user, I'd think it'd be great if I never had to see JS at all.


   For example, all of these webmails don't support what 
   registerProtocolHandler emits. They only support individual values, 
   which are different for each webmail.
   
   http://mymail.operamail.com/scripts/mail/Outblaze.mail?compose=1did=1a=1to=subject=body=cc=bcc=;
   http://mail.live.com/mail/EditMessageLight.aspx?n=to=cc=bcc=subject=body=;
   http://compose.mail.yahoo.com/?To=Subj=Cc=Bcc=Body=;
   http://your_squirrelmail_server.com/src/compose.php?send_to=subject=body=send_to_cc=send_to_bcc=;
   http://your_horde_server.com/horde/imp/compose.php?popup=0to=cc=msg=subject=bcc=;
   http://mail01.mail.com/scripts/mail/Outblaze.mail?composeto=subject=body=cc=bcc=compose=1;
   http://win.mail.ru/cgi-bin/sentmsg?To=CC=BCC=Subject=BodyUTF8=accel=1;
   http://your_roundcubemail_server/?_task=mail_action=compose_to=_subject=_body=_cc=_bcc=;
   
   In these cases, the URI format string in registerProtocolHandler 
   would need a %key for to, subject, body, cc and bcc. The site could 
   use %t, %j, %k and %l and %m for these for example. But, for the UA 
   to understand those %keys (since the UA would only understands %s), 
   a custom function would be needed that did the processing on the 
   link the user clicked and returned the URI argument with the %keys 
   replaced with the desired values.
  
  If a site wanted to support these, it need but provide a CGI script 
  that parsed the mailto: URL and redirected the user to the appropriate 
  server. It could even support other encodings.
 
 Yep, this is basically what Gmail does and works great. It basically 
 converts https://mail.google.com/mail/?extsrc=mailtourl=; into what's 
 really supported, which is: 
 http://mail.google.com/mail/?compose=1view=cmfs=1to=su=body=cc=bcc=;.
 
 However, it doesn't seem like many other sites will do that or even get 
 the mailto URI parsing right. They can't even fix the bugs in their 
 regular compose URIs.

Yes, you can, that's my point. Just write a CGI script that redirects to 
one of the above URLs, after having converted the URL accordingly.


 If you could do custom handling with registerProtocolHandler, you could 
 register a handler yourself and do the processing as you like and do any 
 workarounds that are needed for the site.

You can do that now. Just make yourself a CGI script and register that.

-- 
Ian Hickson   U+1047E

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Michael A. Puls II]

On Sun, 11 Oct 2009 05:09:56 -0400, Ian Hickson i...@hixie.ch wrote:


On Mon, 5 Oct 2009, Michael A. Puls II wrote:

 
  3. URI to a help page where the site explains how it makes uses of
  registerProtocolHandler and gives help and support contacts etc.

 The UA can already keep track of the page from which the user
 registered the handler, which seems suitable.

O.K., there can be some guidelines/tutorials that recommend that the
page that registers the handler is also the help page so that UAs can
use that info if needed. It could also be recommended in such a tutorial
that the page should use the desired favicon so UAs can use it if they
want (and how they want and with what restrictions they want)


This is the kind of thing for which implementation experience will be
particularly useful.


O.K.


  4. Whether to use POST instead of GET.

 Always use GET. You're only sending a URL anyway.

But, with POST you can send longer data (depending on the server and its
config). Since %s is a percent-encoded version of data that's usually
already percent-encoded (in parts of the URI), a lot of that length is
lost in just percent-encoding (lots of %2525s for example).


How long a URL are you expecting people to be using with this?? I rarely
see 4K URLs when downloading files or following mailto: URLs!


Think of the longest email body you've ever sent. Think of the longest  
comma-separated cc, bcc, and To lists you've ever used. Think of the  
longest subject you've ever used. Think of all of that at once, properly  
percent-encoded in a mailto URI. Then, percent-encode that whole mailto  
URI. The length of the resulting string is an example of the length I'm  
talking about that should be supported as a worst case length-wise.



Also, the devs for one webmail even prefer POST data as they said that
it's less revealing when submitting through a proxy. But, I never
validated that.


If they care about the privacy of their users, they should use TLS.


O.K.


  Finally, it's unfortunate that registerProtocolHandler can't
  optionally support a custom format string for the second argument
  and a format argument that's a function that gets the URI the user
  clicked on passed to it.

 Why can't the server just do that server-side? That way it doesn't
 have to worry about updating clients later if it wants to support more
 features.

I'm not saying they can't. More like, I'm saying they won't or cannot in
a timely manner and that there's a better chance of support if they
don't have to change their server-side scripts and can just use a little
JS.


I think it's unrealistic to expect that an application provider would  
have

more trouble updating a server-side script than it would be to expect the
same application provider to update the JS of all its clients'
configurations.


O.K.


Also, with your user hat on, you should see why it'd be great to have a
standardized function to do customize handling yourself to workaround
lack of support for %s.


As a user, I'd think it'd be great if I never had to see JS at all.


:) Yes, point taken on that. When all else fails though and you're the  
type that's so inclined to work around things, you might like it.



  For example, all of these webmails don't support what
  registerProtocolHandler emits. They only support individual values,
  which are different for each webmail.
 
   
http://mymail.operamail.com/scripts/mail/Outblaze.mail?compose=1did=1a=1to=subject=body=cc=bcc=;
   
http://mail.live.com/mail/EditMessageLight.aspx?n=to=cc=bcc=subject=body=;

  http://compose.mail.yahoo.com/?To=Subj=Cc=Bcc=Body=;
   
http://your_squirrelmail_server.com/src/compose.php?send_to=subject=body=send_to_cc=send_to_bcc=;
   
http://your_horde_server.com/horde/imp/compose.php?popup=0to=cc=msg=subject=bcc=;
   
http://mail01.mail.com/scripts/mail/Outblaze.mail?composeto=subject=body=cc=bcc=compose=1;
   
http://win.mail.ru/cgi-bin/sentmsg?To=CC=BCC=Subject=BodyUTF8=accel=1;
   
http://your_roundcubemail_server/?_task=mail_action=compose_to=_subject=_body=_cc=_bcc=;

 
  In these cases, the URI format string in registerProtocolHandler
  would need a %key for to, subject, body, cc and bcc. The site could
  use %t, %j, %k and %l and %m for these for example. But, for the UA
  to understand those %keys (since the UA would only understands %s),
  a custom function would be needed that did the processing on the
  link the user clicked and returned the URI argument with the %keys
  replaced with the desired values.

 If a site wanted to support these, it need but provide a CGI script
 that parsed the mailto: URL and redirected the user to the appropriate
 server. It could even support other encodings.

Yep, this is basically what Gmail does and works great. It basically
converts https://mail.google.com/mail/?extsrc=mailtourl=; into what's
really supported, which is:
http://mail.google.com/mail/?compose=1view=cmfs=1to=su=body=cc=bcc=;.

However, it doesn't seem like many other sites 

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Ian Hickson]

On Sat, 19 Sep 2009, Michael A. Puls II wrote:

 Currently, registerProtcolHandler works like this:
 
 navigator.registerProtocolHandler(protocol, http://example.org/?uri=%s;, 
 title);
 
 However, this doesn't allow the site to specify some useful and 
 important information about the site like:
 
 1. What encoding the server expects. For example, uri= might expect the 
 protocol link that was invoked in the browser to be interpreted as 
 koi8-r instead of utf-8. This might be the case even if the page that 
 uses registerProtocolHandler uses Windows-1251 for example.

Sites that want to use registerProtocolHandler() must use UTF-8.


 2. The location of an icon like a favicon.ico file or png etc.

I could see that as being mildly useful, though I would be concerned with 
the phishing risk. It seems that in most cases, the UA could just reuse 
the favicon of the page that registered the handler, though, maybe 
refreshing it from the page of the handler after the first time it is 
used. Also, it's unclear how we'd let the icon get updated when the site's 
icon changes; if we honour HTTP caching semantics or have a forced 
lifetime, then we have a privacy leak (a hostile site could maybe register 
a handler forcibly using a variety of induced-click techniques, or using 
social engineering, and then would just need to listen to the regular 
pings from the client updating the image), and if we don't ever update the 
image, then instead we have an out-of-date icon which could be worse than 
no icon at all.


 3. URI to a help page where the site explains how it makes uses of
 registerProtocolHandler and gives help and support contacts etc.

The UA can already keep track of the page from which the user registered 
the handler, which seems suitable.


 4. Whether to use POST instead of GET.

Always use GET. You're only sending a URL anyway.


 Finally, it's unfortunate that registerProtocolHandler can't optionally 
 support a custom format string for the second argument and a format 
 argument that's a function that gets the URI the user clicked on passed 
 to it.

Why can't the server just do that server-side? That way it doesn't have to 
worry about updating clients later if it wants to support more features.


 It's also unfortunate that it's so domain restricted. That's a good 
 default, but you can see that Firefox has an override for a reason.

Not sure what you mean here.


 For example, all of these webmails don't support what 
 registerProtocolHandler emits. They only support individual values, 
 which are different for each webmail.
 
 http://mymail.operamail.com/scripts/mail/Outblaze.mail?compose=1did=1a=1to=subject=body=cc=bcc=;
 http://mail.live.com/mail/EditMessageLight.aspx?n=to=cc=bcc=subject=body=;
 http://compose.mail.yahoo.com/?To=Subj=Cc=Bcc=Body=;
 http://your_squirrelmail_server.com/src/compose.php?send_to=subject=body=send_to_cc=send_to_bcc=;
 http://your_horde_server.com/horde/imp/compose.php?popup=0to=cc=msg=subject=bcc=;
 http://mail01.mail.com/scripts/mail/Outblaze.mail?composeto=subject=body=cc=bcc=compose=1;
 http://win.mail.ru/cgi-bin/sentmsg?To=CC=BCC=Subject=BodyUTF8=accel=1;
 http://your_roundcubemail_server/?_task=mail_action=compose_to=_subject=_body=_cc=_bcc=;
 
 In these cases, the URI format string in registerProtocolHandler would 
 need a %key for to, subject, body, cc and bcc. The site could use %t, 
 %j, %k and %l and %m for these for example. But, for the UA to 
 understand those %keys (since the UA would only understands %s), a 
 custom function would be needed that did the processing on the link the 
 user clicked and returned the URI argument with the %keys replaced with 
 the desired values.

If a site wanted to support these, it need but provide a CGI script that 
parsed the mailto: URL and redirected the user to the appropriate server. 
It could even support other encodings.


On Tue, 22 Sep 2009, Michael A. Puls II wrote:
 
 Say the user sees that things are not working right with the handler. 
 The user goes into the options to see what's doing with the handler 
 settings and notices the link. The user clicks on it. Then, on the page, 
 it says Attention: We've changed some things with what our server 
 accepts from our protocol handler. You need to register the handler 
 again by clicking here to get the updated version for example. User 
 does and is happy again. :)

This seems highly optimistic. I think a more likely scenario is user finds 
things are broken, user goes whining in a forum, someone there points them 
to the site that they are whining about, and on the site there's a notice 
or something. Or, the user finds it's broken, and they just go straight to 
the site and try to reregister, and it fixes itself (with the addition 
of a new handler).

I don't think the link you're suggesting would get much if any traffic.

I'm not sure why a handler would break though. I mean, there's very little 
that can change. Sites can always just do redirects.

-- 

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Michael A. Puls II]

On Mon, 05 Oct 2009 07:27:08 -0400, Ian Hickson i...@hixie.ch wrote:


On Sat, 19 Sep 2009, Michael A. Puls II wrote:


Currently, registerProtcolHandler works like this:

navigator.registerProtocolHandler(protocol,  
http://example.org/?uri=%s;, title);


However, this doesn't allow the site to specify some useful and
important information about the site like:

1. What encoding the server expects. For example, uri= might expect the
protocol link that was invoked in the browser to be interpreted as
koi8-r instead of utf-8. This might be the case even if the page that
uses registerProtocolHandler uses Windows-1251 for example.


Sites that want to use registerProtocolHandler() must use UTF-8.


O.K., so you definitely, no doubt about it, want to make that a  
requirement. If so, fine, just want to make sure.



2. The location of an icon like a favicon.ico file or png etc.


I could see that as being mildly useful, though I would be concerned with
the phishing risk. It seems that in most cases, the UA could just reuse
the favicon of the page that registered the handler, though, maybe
refreshing it from the page of the handler after the first time it is
used. Also, it's unclear how we'd let the icon get updated when the  
site's

icon changes; if we honour HTTP caching semantics or have a forced
lifetime, then we have a privacy leak (a hostile site could maybe  
register

a handler forcibly using a variety of induced-click techniques, or using
social engineering, and then would just need to listen to the regular
pings from the client updating the image), and if we don't ever update  
the

image, then instead we have an out-of-date icon which could be worse than
no icon at all.



3. URI to a help page where the site explains how it makes uses of
registerProtocolHandler and gives help and support contacts etc.


The UA can already keep track of the page from which the user registered
the handler, which seems suitable.


O.K., there can be some guidelines/tutorials that recommend that the page  
that registers the handler is also the help page so that UAs can use that  
info if needed. It could also be recommended in such a tutorial that the  
page should use the desired favicon so UAs can use it if they want (and  
how they want and with what restrictions they want)



4. Whether to use POST instead of GET.


Always use GET. You're only sending a URL anyway.


But, with POST you can send longer data (depending on the server and its  
config). Since %s is a percent-encoded version of data that's usually  
already percent-encoded (in parts of the URI), a lot of that length is  
lost in just percent-encoding (lots of %2525s for example).


Also, the devs for one webmail even prefer POST data as they said that  
it's less revealing when submitting through a proxy. But, I never  
validated that.



Finally, it's unfortunate that registerProtocolHandler can't optionally
support a custom format string for the second argument and a format
argument that's a function that gets the URI the user clicked on passed
to it.


Why can't the server just do that server-side? That way it doesn't have  
to

worry about updating clients later if it wants to support more features.


I'm not saying they can't. More like, I'm saying they won't or cannot in a  
timely manner and that there's a better chance of support if they don't  
have to change their server-side scripts and can just use a little JS.


Also, with your user hat on, you should see why it'd be great to have a  
standardized function to do customize handling yourself to workaround lack  
of support for %s.



It's also unfortunate that it's so domain restricted. That's a good
default, but you can see that Firefox has an override for a reason.


Not sure what you mean here.


file:///c:/documents%20and%20settings/user/desktop/test.html can't  
register a mailto handler for http://foo.org/?uri=%s; in Firefox by  
default. The URL argument has to be on the same domain or it is denied.  
Firefox does have an override though in about config, which you must use  
to get that to work.


I see the spec leaves this up to the UA to do what it wants though, so  
nevermind.


I also seem to remember that the intent was that the registered handler  
would only be invoked when clicking on links on pages on the domain that  
registered the handler. That would mean that the protocol handling would  
only work on the site's pages and no other sites. However, I don't see  
that in the spec and that's not how it works in FF, so nevermind.



For example, all of these webmails don't support what
registerProtocolHandler emits. They only support individual values,
which are different for each webmail.

http://mymail.operamail.com/scripts/mail/Outblaze.mail?compose=1did=1a=1to=subject=body=cc=bcc=;
http://mail.live.com/mail/EditMessageLight.aspx?n=to=cc=bcc=subject=body=;
http://compose.mail.yahoo.com/?To=Subj=Cc=Bcc=Body=;

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Anne van Kesteren]

On Sat, 19 Sep 2009 13:49:15 +0200, Michael A. Puls II  
shadow2...@gmail.com wrote:

Currently, registerProtcolHandler works like this:

navigator.registerProtocolHandler(protocol,  
http://example.org/?uri=%s;, title);


However, this doesn't allow the site to specify some useful and  
important information about the site like:


1. What encoding the server expects. For example, uri= might expect the  
protocol link that was invoked in the browser to be interpreted as  
koi8-r instead of utf-8. This might be the case even if the page that  
uses registerProtocolHandler uses Windows-1251 for example.


The IRI specification dictates UTF-8 already.



2. The location of an icon like a favicon.ico file or png etc.


Is this not already known? Or is there no same-origin restriction on these  
methods?



3. URI to a help page where the site explains how it makes uses of  
registerProtocolHandler and gives help and support contacts etc.


How does this help the user?



4. Whether to use POST instead of GET.


That seems dangerous. Following a link should always use GET.



[...]

Point being, registerProtocolHandler needs to be more robust. And,  
although this post is long, the requested additions are quite simple to  
specify.


Maybe these things can be supported in registerProtocolHandler v.02 once  
sites like the above prove that they are needed.


I don't see why existing sites would not update what they accept to make  
registerProtocolHandler work. And if user agents want to support sites  
that do not support registerProtocolHandler that is their business I think  
and not an necessarily an issue for the feature.



--
Anne van Kesteren
http://annevankesteren.nl/

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[João Eiras]

2. The location of an icon like a favicon.ico file or png etc.



This is actually a real privacy issue. The user agent would periodically fetch 
a remove favicon, which discloses the end user's ip.
If any, such favicon would need to be made available offline immediately when 
installing the protocol handler, or a data uri could be used.

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Michael A. Puls II]

On Tue, 22 Sep 2009 09:54:12 -0400, João Eiras jo...@opera.com wrote:




2. The location of an icon like a favicon.ico file or png etc.



This is actually a real privacy issue. The user agent would periodically  
fetch a remove favicon, which discloses the end user's ip.


If you go to a site that uses registerProtocolHandler and you allow it to  
register the handler, you already trust that site and have already  
disclosed your ip to it. You'll disclose your ip to it again each time you  
visit the site.


Now, if the site, which I obviously trust given the above, knows that my  
browser is fetching the favicon fresh now and then and can see my ip (and  
can even set a cookie when requesting the favicon), I think that's a  
non-issue.


However...

If any, such favicon would need to be made available offline immediately  
when installing the protocol handler


O.K., that would be acceptable. And, the UA could allow the *user* to  
explicitly refetch the icon if they ever wanted to. The UA wouldn't even  
really have to allow a refetch as the user could just go back to the site  
and re-register then handler.


--
Michael

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Michael A. Puls II]

On Tue, 22 Sep 2009 09:10:02 -0400, Anne van Kesteren ann...@opera.com  
wrote:


On Sat, 19 Sep 2009 13:49:15 +0200, Michael A. Puls II  
shadow2...@gmail.com wrote:

Currently, registerProtcolHandler works like this:

navigator.registerProtocolHandler(protocol,  
http://example.org/?uri=%s;, title);


However, this doesn't allow the site to specify some useful and  
important information about the site like:


1. What encoding the server expects. For example, uri= might expect the  
protocol link that was invoked in the browser to be interpreted as  
koi8-r instead of utf-8. This might be the case even if the page that  
uses registerProtocolHandler uses Windows-1251 for example.


The IRI specification dictates UTF-8 already.


But sites might not follow it.


2. The location of an icon like a favicon.ico file or png etc.


Is this not already known? Or is there no same-origin restriction on  
these methods?


Do you mean, is the location known like favicon.ico at the root of the  
site? It's not always in that spot. And, if it's not a favicon, but a png  
for example, it could be anywhere on the site.


3. URI to a help page where the site explains how it makes uses of  
registerProtocolHandler and gives help and support contacts etc.


How does this help the user?


Say the user sees that things are not working right with the handler. The  
user goes into the options to see what's doing with the handler settings  
and notices the link. The user clicks on it. Then, on the page, it says  
Attention: We've changed some things with what our server accepts from  
our protocol handler. You need to register the handler again by clicking  
here to get the updated version for example. User does and is happy  
again. :)


Now, the user could go hunting through the site to find that page, but the  
link is much more user-friendly.



4. Whether to use POST instead of GET.


That seems dangerous. Following a link should always use GET.


But, I don't think it's necessarily following a link in the normal  
sense. It's launching a trusted web-based application, where POST could be  
used to support longer data.


Sure, it's great to look at the query to see what's being submitted (if  
it's in a format that you know how to decode).


By default though, the handler only works on pages for the site that  
registered the handler, so it'd be like just using a form POST right on  
the site.



[...]

Point being, registerProtocolHandler needs to be more robust. And,  
although this post is long, the requested additions are quite simple to  
specify.


Maybe these things can be supported in registerProtocolHandler v.02  
once sites like the above prove that they are needed.


I don't see why existing sites would not update what they accept to make  
registerProtocolHandler work.


I do. Sites can be a pain. :)

And if user agents want to support sites that do not support  
registerProtocolHandler that is their business I think and not an  
necessarily an issue for the feature.


Sure, but if registerProtocolHandler is robust, users don't have to wait  
around for browsers to do that. registerProtcolHandler would be  
self-sufficient.


I think it's important to have robust tools to allow users to make things  
work when either the site or the browser or both are of no help. But, my  
main point in all this is if the UA has more than just a plain UI, it  
could make use of more info given by registerProtocolHandler to make  
things nicer.


In short though, I think registerProtocolHandler is too simple. Maybe  
that's intentional and browses are encouraged to support some other more  
advanced function like  
window.ff|ie|opera|safari|chrome_advancedRegisterProtocolHandler, but why  
do that when registerProtocolHandler could?


But, understood if you don't share my enthusiasm.

--
Michael

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Anne van Kesteren]

On Tue, 22 Sep 2009 17:32:59 +0200, Michael A. Puls II  
shadow2...@gmail.com wrote:
On Tue, 22 Sep 2009 09:10:02 -0400, Anne van Kesteren ann...@opera.com  
wrote:

The IRI specification dictates UTF-8 already.


But sites might not follow it.


Then they will need to be updated if they want to work with  
registerProtocolHandler and pretty much any form of requests to their URL  
space they do not control themselves (i.e. is not initiated by following  
some HTML link on their site). Even XMLHttpRequest forces UTF-8.



Is this not already known? Or is there no same-origin restriction on  
these methods?


Do you mean, is the location known like favicon.ico at the root of the  
site? It's not always in that spot. And, if it's not a favicon, but a  
png for example, it could be anywhere on the site.


I have a PNG called favicon.ico on my site, but what I meant is that the  
user has likely visited the site already so a favicon of some sorts will  
be known. Also, this only matters when registering for the handler and  
having icon support there might actually make phishing easier as the user  
would recognize the icon and maybe ignore the text.



3. URI to a help page where the site explains how it makes uses of  
registerProtocolHandler and gives help and support contacts etc.


How does this help the user?


Say the user sees that things are not working right with the handler.  
The user goes into the options to see what's doing with the handler  
settings and notices the link. The user clicks on it. Then, on the page,  
it says Attention: We've changed some things with what our server  
accepts from our protocol handler. You need to register the handler  
again by clicking here to get the updated version for example. User  
does and is happy again. :)


Now, the user could go hunting through the site to find that page, but  
the link is much more user-friendly.


What can possibly go wrong that the site cannot fix with a redirect of  
some sorts?




4. Whether to use POST instead of GET.


That seems dangerous. Following a link should always use GET.


But, I don't think it's necessarily following a link in the normal  
sense. It's launching a trusted web-based application, where POST could  
be used to support longer data.


Sure, it's great to look at the query to see what's being submitted (if  
it's in a format that you know how to decode).


By default though, the handler only works on pages for the site that  
registered the handler, so it'd be like just using a form POST right on  
the site.


I don't quite see how you envision this to work. I suppose at some point  
unknown protocols could be made to work in form. Dunno though.



And if user agents want to support sites that do not support  
registerProtocolHandler that is their business I think and not an  
necessarily an issue for the feature.


Sure, but if registerProtocolHandler is robust, users don't have to wait  
around for browsers to do that. registerProtcolHandler would be  
self-sufficient.


It is robust. Adding lots of complexity is likely to make it less so.


--
Anne van Kesteren
http://annevankesteren.nl/

Re: [whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Michael A. Puls II]

On Tue, 22 Sep 2009 11:46:01 -0400, Anne van Kesteren ann...@opera.com  
wrote:


On Tue, 22 Sep 2009 17:32:59 +0200, Michael A. Puls II  
shadow2...@gmail.com wrote:
On Tue, 22 Sep 2009 09:10:02 -0400, Anne van Kesteren  
ann...@opera.com wrote:
Is this not already known? Or is there no same-origin restriction on  
these methods?


Do you mean, is the location known like favicon.ico at the root of the  
site? It's not always in that spot. And, if it's not a favicon, but a  
png for example, it could be anywhere on the site.


I have a PNG called favicon.ico on my site, but what I meant is that the  
user has likely visited the site already so a favicon of some sorts will  
be known.


O.K., I see. Thank for clarifying. In those cases, a favicon will most  
likely be already known.


But, take Opera's webmailproviders.ini for example. You have to manually  
specify the icon location. It's not discovered automatically through other  
means. If the user allowed registerProtocolHandler to add a webmail entry  
to the file, being able to say what icon to load would be great. But, even  
if a favicon (or other type of pic) can be discovered automatically, will  
the browser pick the right one? Maybe there's a specific file that should  
be used.


Now, if every UA's protocol configuration is going to be plain jane  
text-only, then an icon for example isn't an issue.


--
Michael

[whatwg] registerProtocolHandler - allow site to specify more info and do custom handling

[Michael A. Puls II]

Currently, registerProtcolHandler works like this:

navigator.registerProtocolHandler(protocol,  
http://example.org/?uri=%s;, title);


However, this doesn't allow the site to specify some useful and important  
information about the site like:


1. What encoding the server expects. For example, uri= might expect the  
protocol link that was invoked in the browser to be interpreted as koi8-r  
instead of utf-8. This might be the case even if the page that uses  
registerProtocolHandler uses Windows-1251 for example.


2. The location of an icon like a favicon.ico file or png etc.

3. URI to a help page where the site explains how it makes uses of  
registerProtocolHandler and gives help and support contacts etc.


4. Whether to use POST instead of GET.

For #1, if the UA knows this, it can automatically make sure the data goes  
out to the server in the right encoding.


For #2, if the UA knows this, it can automatically provide the desired  
icon in its UI next to each entry in its protocol configuration dialog,  
for example.


For #3, if the UA knows this, it can automatically provide a site support  
link in its configuration dialog.


For #4, if the site would rather (or can only) accept POST data (to  
support longer data for example), then the UA can automatically oblige.


With that said, it'd be great if registerProtocolHandler supported a 4th  
argument that was an object of informative things.


For example, here are some things that could be supported:

var info = {
accept-charset : koi8-r,
icon : http://example.org/some_dir/favicon.ico;,
help : http://example.org/support/protocol_handling.html;,
requestMethod : POST
};

navigator.registerProtocolHandler(protocol,  
http://example.org/?uri=%s;, title, info);


Or, if you'd rather not use an object and just have more arguments:

navigator.registerProtocolHandler(
protocol,
http://example.org/?uri=%s;,
title,
koi8-r,
http://example.org/some_dir/favicon.ico;,
http://example.org/support/protocol_handling.html;,
post
);

Now, if you noticed, I used automatically above. This is because I think  
it would not be ideal to have a site register itself to handle a protocol  
only to have it not work by default and have the user find some page on  
the site that tells them how to manually configure options in each browser  
just to get things working.


To give an example, Opera supports registering certain webmails with  
mailto. You currently have to edit an ini file to add more than the  
default and Opera doesn't support registerProtocolHandler yet, but what  
Opera does support is specifying an icon URI that gets used in the UI.


Opera also only supports GET at the moment and only supports emitting  
utf-8, but there are a few sites where POST and a different output  
encoding are desired by the webmail. For example, mail.ru would rather  
have POST being used and they only accepted koi8-r (and Windows-1251 as an  
option) up until recently.


With that said, if Opera supported registerProtocolHandler to add a  
protocol handler (mailto for example), having the site be able to specify  
an icon could be usable by Opera and other UAs.


If Opera ever supports using POST or emitting a different encoding, having  
the site say so would help so the user doesn't have to manually find out  
and configure all this stuff.


Now, Firefox supports registerProtocolHandler for adding handlers now.  
But, you can't configure post/get or icons etc. either. But, if you could,  
it'd be great to have the site say what to use. (You also have to use an  
about:config override to make handler work on any domain)


Finally, it's unfortunate that registerProtocolHandler can't optionally  
support a custom format string for the second argument and a format  
argument that's a function that gets the URI the user clicked on passed to  
it. It's also unfortunate that it's so domain restricted. That's a good  
default, but you can see that Firefox has an override for a reason.


For example, all of these webmails don't support what  
registerProtocolHandler emits. They only support individual values, which  
are different for each webmail.


http://mymail.operamail.com/scripts/mail/Outblaze.mail?compose=1did=1a=1to=subject=body=cc=bcc=;
http://mail.live.com/mail/EditMessageLight.aspx?n=to=cc=bcc=subject=body=;
http://compose.mail.yahoo.com/?To=Subj=Cc=Bcc=Body=;
http://your_squirrelmail_server.com/src/compose.php?send_to=subject=body=send_to_cc=send_to_bcc=;
http://your_horde_server.com/horde/imp/compose.php?popup=0to=cc=msg=subject=bcc=;
http://mail01.mail.com/scripts/mail/Outblaze.mail?composeto=subject=body=cc=bcc=compose=1;
http://win.mail.ru/cgi-bin/sentmsg?To=CC=BCC=Subject=BodyUTF8=accel=1;
http://your_roundcubemail_server/?_task=mail_action=compose_to=_subject=_body=_cc=_bcc=;

In these cases, the URI format string in registerProtocolHandler would  
need a %key for to, subject, body, cc and bcc. The site could use %t, %j,