Re: Last Call: <draft-holsten-about-uri-scheme-06.txt> (The 'about' URI scheme) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/17/11 12:03 AM, Mykyta Yevstifeyev wrote:
not
clearly compatible with the web security model,
How?

"about:blank" in particular is magic with respect to security on the web in various ways (e.g. it can end up same-origin with http:// pages). So I think we do need to specify exactly when this magic security behavior takes place.

The question is what existing UAs do and what assumptions web authors make, as well as what assumptions should be safe for them to make.

Note that "not clearly compatible" doesn't mean "not compatible"; it just means it needs sorting out.

Note that this is also an exception to the general claim that about: is only used internally. That's not the case for about:blank.

So I think we do need a Standards Track document that pins down how about:blank works; I will be happy to make whatever changes are needed to Gecko here to achieve interop assuming that the result has been vetted in terms of the security implications.

For other about: URIs, I don't know whether Standards Track necessarily make sense.

and because the
normalization is not defined in the spec.
Normalization is defined in RFC 3986.

Browsers don't actually implement RFC 3986 in practice because it's not compatible with web content, last I checked.... Pretending like they do doesn't seem to be productive.

Or is the point that the algorithms to be used are just the ones defined in 3986 and those are sufficiently ok that browsers do actually use them? That wasn't clear to me from the current draft.

-Boris
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]