Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign up(un)registerProtocolHandler and localhost URLs #5787
Comments
|
Thank you, it seems like we should be using "Is url potentially trustworthy?" instead here. (I wonder if we should rename that to "secure URL" both for brevity and for consistency with secure contexts.) |
|
I think it would be good to have Microsoft / Google's opinion on this. @annevk what is Mozilla's plan for this issue? |
|
I assumed that neither Firefox nor Chrome would want to change this and that therefore it's a specification bug. Unless there's a compelling reason for following the current specification? |
|
For Chromium, the consensus on https://bugs.chromium.org/p/chromium/issues/detail?id=1112268 seems to be that it should be "is url potentially trustworthy" (whatever that means). |
|
To be perfectly clear, that's okay with Firefox. |
So I just checked what that means according to the latest Secure Contexts draft: To summarize:
Additionally, there is a not saying that blob: and filesystem: created in trustworthy origin will also be potentially trustworthy. I think this is mostly ok, but allowing "data:" and "blob:" looks suspicious to me. At least Chrome has protocol handler unit tests to check they are not supported. I'm not really sure what "filesystem:" is but given it is non-standard and trustworthy depending on context, I guess it should not be included it in the list of registrable URLs. I haven't done any experiment though, it's possible that these URLs would be discarded by other security checks anyway. |
cc @mikewest @annevk @ericlaw1979
From https://html.spec.whatwg.org/multipage/system-state.html#normalize-protocol-handler-parameters:
'If the resulting URL record's scheme is not "https" or the resulting URL record's origin is not same origin with environment's origin, then throw a "SecurityError" DOMException.'
It seems this forbids localhost URLs like http://127.0.0.1 that are in a secure context though. Firefox and Chrome allows to register URLs from these localhost domains.
Original context: https://bugs.chromium.org/p/chromium/issues/detail?id=1112268