On 2011-04-19 19:33, Ian Hickson wrote:
On Tue, 12 Apr 2011, Lachlan Hunt wrote:
We are investigating registerProtocolHandler and have been discussing
the need for a blacklist of protocols to forbid.
[...]
We'd like to know if we've missed any important schemes that must be
blocked, and we think it might be useful if the spec listed most of
those, except for the vendor specific schemes, which should probably be
left up to each vendor to worry about.
I haven't updated the spec yet, but it strikes me that maybe what we
should do instead is have a whitelist of protocols we definitely want to
allow (e.g. mailto:), and define a common prefix for protocols that are
used with this feature, in a similar way to how with XHR we've added Sec-*
as a list of headers _not_ to support.
Other protocols we should probably also whitelist:
irc, sms, smsto, tel.
I'm also curious how we could handle ISBN URNs, like:
urn:isbn:0-395-36341-1
That would be useful to have a web service that could look up the ISBN
and direct users to information about the book, or to an online store.
As currently specified, services have to register a handler for "urn",
even if they only handle ISBN URNs. The other alternative would be to
mint a new web+isbn scheme, which seems suboptimal.
So e.g. we could whitelist any protocol starting with "web+" and then
register that as a common extension point for people inventing protocols
for use with this feature, so that people writing OS-native apps would
know that if they used a protocol with that prefix it's something that any
web site could try to take over.
That seems reasonable.
--
Lachlan Hunt - Opera Software
http://lachy.id.au/
http://www.opera.com/
