Hi Richard,
Thanks for the review. This is an individual comment.
At 05:33 04-06-2012, Richard L. Barnes wrote:
I wonder how useful this document is, given that the use of "about:"
URIs is currently very inconsistent across browsers. (See, for
example, <http://en.wikipedia.org/wiki/About_URI_scheme>) Some
browsers also use alternative URI schemes for essentially the same
function ("opera:", "chrome:"). Has there been input from the
browser vendor community on this document?
One of the editors of draft-ietf-appsawg-about-uri-scheme-04
affiliated with Opera Software ASA provided input about the draft.
The Wikipedia article mentions that it needs additional citations for
verification. Although the "about" URI scheme is well-known, it has
never been registered. The document describes the URI scheme and
registers it in the "URI Schemes". The document does not seek to
impose any requirement. It leaves it to browser vendors to decide
what to do.
4.
The document correctly notes that "about:" URIs sometimes point to
sensitive data, and that browsers need to protect them. However,
the document fails to specify what the threats are and how to
mitigate them. It seems to me that the major risk is cross-site
scripting, in the sense that a remote web page might include an
"about:" URI (e.g., via an XMLHttpRequest) in order to access
sensitive data. At a high level, then, the mitigation would be to
ensure that such URIs are accessible only as a result of direct user
action (e.g., typing in a URI) or trusted browser code (e.g., extensions).
Section 4 of draft-ietf-appsawg-about-uri-scheme-06 mentions that
"about" URIs may be used to reference, for example, user passwords
stored in a cache. The document does not register such a token
though. It leaves it to person with expertise to write the
specification about that token to consider the security
implications. Adding text to discuss about cross-site scripting
might be misconstrued as a recommendation.
Regards,
S. Moonesamy