Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(un)registerProtocolHandler and localhost URLs #5787

Open
fred-wang opened this issue Aug 5, 2020 · 6 comments
Open

(un)registerProtocolHandler and localhost URLs #5787

fred-wang opened this issue Aug 5, 2020 · 6 comments

Comments

@fred-wang
Copy link

@fred-wang fred-wang commented Aug 5, 2020

cc @mikewest @annevk @ericlaw1979

From https://html.spec.whatwg.org/multipage/system-state.html#normalize-protocol-handler-parameters:

'If the resulting URL record's scheme is not "https" or the resulting URL record's origin is not same origin with environment's origin, then throw a "SecurityError" DOMException.'

It seems this forbids localhost URLs like http://127.0.0.1 that are in a secure context though. Firefox and Chrome allows to register URLs from these localhost domains.

Original context: https://bugs.chromium.org/p/chromium/issues/detail?id=1112268

@annevk
Copy link
Member

@annevk annevk commented Aug 5, 2020

Thank you, it seems like we should be using "Is url potentially trustworthy?" instead here. (I wonder if we should rename that to "secure URL" both for brevity and for consistency with secure contexts.)

@fred-wang
Copy link
Author

@fred-wang fred-wang commented Aug 19, 2020

I think it would be good to have Microsoft / Google's opinion on this.

@annevk what is Mozilla's plan for this issue?

@annevk
Copy link
Member

@annevk annevk commented Aug 19, 2020

I assumed that neither Firefox nor Chrome would want to change this and that therefore it's a specification bug. Unless there's a compelling reason for following the current specification?

@fred-wang
Copy link
Author

@fred-wang fred-wang commented Aug 19, 2020

For Chromium, the consensus on https://bugs.chromium.org/p/chromium/issues/detail?id=1112268 seems to be that it should be "is url potentially trustworthy" (whatever that means).

@annevk
Copy link
Member

@annevk annevk commented Aug 19, 2020

To be perfectly clear, that's okay with Firefox.

@fred-wang
Copy link
Author

@fred-wang fred-wang commented Aug 20, 2020

(whatever that means)

So I just checked what that means according to the latest Secure Contexts draft:
https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

To summarize:

  • about:blank or about:srcdoc
  • data:
  • https: or wss:
  • 127.0.0.0/8, ::1/128
  • localhost, .localhost
  • file:
  • packaged applications schemes (e.g. app: or chrome-extension:)
  • any development environment override

Additionally, there is a not saying that blob: and filesystem: created in trustworthy origin will also be potentially trustworthy.

I think this is mostly ok, but allowing "data:" and "blob:" looks suspicious to me. At least Chrome has protocol handler unit tests to check they are not supported. I'm not really sure what "filesystem:" is but given it is non-standard and trustworthy depending on context, I guess it should not be included it in the list of registrable URLs.

I haven't done any experiment though, it's possible that these URLs would be discarded by other security checks anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.