I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-appsawg-about-uri-scheme-05 Reviewer: Richard Barnes Review Date: Jun-04-2012 IETF LC End Date: Not known IESG Telechat date: Jun-07-2012 Summary: Almost ready, couple of questions MAJOR: *. I wonder how useful this document is, given that the use of "about:" URIs is currently very inconsistent across browsers. (See, for example, <http://en.wikipedia.org/wiki/About_URI_scheme>) Some browsers also use alternative URI schemes for essentially the same function ("opera:", "chrome:"). Has there been input from the browser vendor community on this document? 4. The document correctly notes that "about:" URIs sometimes point to sensitive data, and that browsers need to protect them. However, the document fails to specify what the threats are and how to mitigate them. It seems to me that the major risk is cross-site scripting, in the sense that a remote web page might include an "about:" URI (e.g., via an XMLHttpRequest) in order to access sensitive data. At a high level, then, the mitigation would be to ensure that such URIs are accessible only as a result of direct user action (e.g., typing in a URI) or trusted browser code (e.g., extensions).