HTML5 and URI scheme *name* prefixes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

HTML5 and URI scheme *name* prefixes

Julian Reschke
Hi there,

ref: <https://www.w3.org/html/wg/tracker/issues/189>

HTML5 introduces a naming convention for URI scheme *names*; see
<http://dev.w3.org/html5/spec/Overview.html#web-scheme-prefix>:

> 12.6 web+ scheme prefix
>
> This section describes a convention for use with the IANA URI scheme registry. It does not itself register a specific scheme. [RFC4395]
>
> URI scheme name
>     Schemes starting with the four characters "web+" followed by one or more letters in the range a-z.
> Status
>     permanent
> URI scheme syntax
>     Scheme-specific.
> URI scheme semantics
>     Scheme-specific.
> Encoding considerations
>     All "web+" schemes should use UTF-8 encodings were relevant.
> Applications/protocols that use this URI scheme name
>     Scheme-specific.
> Interoperability considerations
>     The scheme is expected to be used in the context of Web applications.
> Security considerations
>     Any Web page is able to register a handler for all "web+" schemes. As such, these schemes must not be used for features intended to be core platform features (e.g. network transfer protocols like HTTP or FTP). Similarly, such schemes must not store confidential information in their URLs, such as usernames, passwords, personal information, or confidential project names.
> Contact
>     Ian Hickson <[hidden email]>
> Author/Change controller
>     Ian Hickson <[hidden email]>
> References
>     W3C

I'm in the process of writing a Change Proposal asking for a removal of
this feature. In the meantime, it would be useful if the WG came up with
"official" feedback on overloading the scheme name.

Best regards, Julian

Reply | Threaded
Open this post in threaded view
|

Re: HTML5 and URI scheme *name* prefixes

Mykyta Yevstifeyev
My personal opinion:

Neither RFC 4395 nor 4395bis provide a possibility to perform such
sorts of registrations.  This is not a URI scheme but a prefix thereof
- theoretically, if this is register, de-facto an infinite range of
scheme names is registered; this is really not what authors of RFC
4395 wanted their document to serve for -, and additionally I can
hardly find what should schemes starting with "web+" stand for save
"The scheme is expected to be used in the context of Web
applications."; furthermore, this is impossible to understand how
should Web pages register such scheme names (this is in Sec.
considerations).

I support Julian's position on this.

Mykyta Yevstifeyev

2012/1/14 Julian Reschke <[hidden email]>:

> Hi there,
>
> ref: <https://www.w3.org/html/wg/tracker/issues/189>
>
> HTML5 introduces a naming convention for URI scheme *names*; see
> <http://dev.w3.org/html5/spec/Overview.html#web-scheme-prefix>:
>
>> 12.6 web+ scheme prefix
>>
>> This section describes a convention for use with the IANA URI scheme
>> registry. It does not itself register a specific scheme. [RFC4395]
>>
>> URI scheme name
>>    Schemes starting with the four characters "web+" followed by one or
>> more letters in the range a-z.
>> Status
>>    permanent
>> URI scheme syntax
>>    Scheme-specific.
>> URI scheme semantics
>>    Scheme-specific.
>> Encoding considerations
>>    All "web+" schemes should use UTF-8 encodings were relevant.
>> Applications/protocols that use this URI scheme name
>>    Scheme-specific.
>> Interoperability considerations
>>    The scheme is expected to be used in the context of Web applications.
>> Security considerations
>>    Any Web page is able to register a handler for all "web+" schemes. As
>> such, these schemes must not be used for features intended to be core
>> platform features (e.g. network transfer protocols like HTTP or FTP).
>> Similarly, such schemes must not store confidential information in their
>> URLs, such as usernames, passwords, personal information, or confidential
>> project names.
>> Contact
>>    Ian Hickson <[hidden email]>
>> Author/Change controller
>>    Ian Hickson <[hidden email]>
>> References
>>    W3C
>
>
> I'm in the process of writing a Change Proposal asking for a removal of this
> feature. In the meantime, it would be useful if the WG came up with
> "official" feedback on overloading the scheme name.
>
> Best regards, Julian
>

Reply | Threaded
Open this post in threaded view
|

Re: HTML5 and URI scheme *name* prefixes

Chris Weber-4
In reply to this post by Julian Reschke
On 1/14/2012 5:16 AM, Julian Reschke wrote:
> I'm in the process of writing a Change Proposal asking for a removal
> of this feature. In the meantime, it would be useful if the WG came up
> with "official" feedback on overloading the scheme name.
>
<hat type="individual" />

Is this the first example of a scheme prefix like "web+" overloading the
scheme name?  I'm not clear on the history, use cases, and the impetus
behind "web+".  Generally speaking, it seems that a great deal of care
has been put into the registration process for scheme names, and that
the "web+" prefix sidesteps all of that, albeit limited to the prefix.

Surely there's good reason for due diligence in the scheme registration
process, right?  And speaking as someone who does a lot of Web
application penetration testing, one of my first thoughts when I saw
this, with eyebrows raised really high, was 'let the fun begin'...

Best regards,
Chris Weber

Reply | Threaded
Open this post in threaded view
|

Re: HTML5 and URI scheme *name* prefixes

Julian Reschke
On 2012-01-16 07:55, Chris Weber wrote:
> On 1/14/2012 5:16 AM, Julian Reschke wrote:
>> I'm in the process of writing a Change Proposal asking for a removal
>> of this feature. In the meantime, it would be useful if the WG came up
>> with "official" feedback on overloading the scheme name.
>>
> <hat type="individual" />
>
> Is this the first example of a scheme prefix like "web+" overloading the
> scheme name?  I'm not clear on the history, use cases, and the impetus

I think so, unless you count the "s" *post*fix (but that's more like a
convention).

That being said, similar problems were introduced by XHR for HTTP header
fields ("Sec-" prefix). See
<http://www.mnot.net/blog/2011/08/24/distributed_hungarian_notation_doesnt_work>.

> ...

Best regards, Julian

Reply | Threaded
Open this post in threaded view
|

Re: HTML5 and URI scheme *name* prefixes

Martin J. Dürst
In reply to this post by Chris Weber-4


On 2012/01/16 15:55, Chris Weber wrote:
> On 1/14/2012 5:16 AM, Julian Reschke wrote:
>> I'm in the process of writing a Change Proposal asking for a removal
>> of this feature. In the meantime, it would be useful if the WG came up
>> with "official" feedback on overloading the scheme name.
>>
> <hat type="individual" />
>
> Is this the first example of a scheme prefix like "web+" overloading the
> scheme name?

See Julian's reply.

> I'm not clear on the history, use cases, and the impetus
> behind "web+".

Have a look at the [hidden email] mailing list (archives at
http://lists.w3.org/Archives/Public/www-tag/), in particular at the
thread starting at
http://lists.w3.org/Archives/Public/www-tag/2012Jan/thread.html#msg28.

> Generally speaking, it seems that a great deal of care
> has been put into the registration process for scheme names, and that
> the "web+" prefix sidesteps all of that, albeit limited to the prefix.

I don't think there is any intention to sidestep the registration
process. Future schemes, whether with or without the web+ prefix, would
still go though the same registration process.


> Surely there's good reason for due diligence in the scheme registration
> process, right?  And speaking as someone who does a lot of Web
> application penetration testing, one of my first thoughts when I saw
> this, with eyebrows raised really high, was 'let the fun begin'...

Can you be a bit more specific about the dangers you see?

Regards,    Martin.

Reply | Threaded
Open this post in threaded view
|

Re: HTML5 and URI scheme *name* prefixes

Chris Weber-4
On 1/20/2012 2:52 AM, "Martin J. Dürst" wrote:
Have a look at the [hidden email] mailing list (archives at http://lists.w3.org/Archives/Public/www-tag/), in particular at the thread starting at http://lists.w3.org/Archives/Public/www-tag/2012Jan/thread.html#msg28.
<hat type="individual" />

Hi Martin, that was helpful, thanks.

I don't think there is any intention to sidestep the registration process. Future schemes, whether with or without the web+ prefix, would still go though the same registration process.

I don't follow.  The idea of web+ seems to be that it allows for an infinite number of ad hoc scheme registrations - e.g. web+tweet, web+like, web+mail.  Are you saying those each need to go through the registration process?

Can you be a bit more specific about the dangers you see?

From a penetration testing perspective, it's a new attack vector that could be abused or misused.  A good bit of the threats have been listed at http://dev.w3.org/html5/spec/Overview.html#security-and-privacy.  I can see others relating to cross-origin issues and User Interface confusion.  For Web-apps, there's potential for data exfiltration depending on the use case and implementation details, so, it's not so much a fault of the new prefix as much as how it might be naively used.  I made some test cases that are available online at http://www.lookout.net/test/handler/ and posted my results across 20 different areas to http://web.lookout.net/2012/01/testing-registerprotocolhandler-and-web.html.

Best regards,
Chris Weber