Skip to content

Commit

Permalink
Add FTP related protocols to the registerProtocolHandler safelist.
Browse files Browse the repository at this point in the history
  • Loading branch information
asankah committed Feb 7, 2022
1 parent 465a6b6 commit 18694ba
Showing 1 changed file with 17 additions and 8 deletions.
25 changes: 17 additions & 8 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -2363,6 +2363,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
</li>
<li><dfn data-x-href="https://url.spec.whatwg.org/#valid-url-string">valid URL string</dfn></li>
<li>The <dfn data-x-href="https://url.spec.whatwg.org/#cannot-have-a-username-password-port">cannot have a username/password/port</dfn> concept</li>
<li>The <dfn data-x="concept-url-includes-credentials" data-x-href="https://url.spec.whatwg.org/#include-credentials">includes credentials</dfn> concept</li>
<li>The <dfn data-x-href="https://url.spec.whatwg.org/#url-opaque-path">opaque path</dfn> concept</li>
<li><dfn data-x="concept-url-serializer" data-x-href="https://url.spec.whatwg.org/#concept-url-serializer">URL serializer</dfn> and its
<dfn data-x="url serializer exclude fragment" data-x-href="https://url.spec.whatwg.org/#url-serializer-exclude-fragment">exclude fragment</dfn> argument</li>
Expand Down Expand Up @@ -98314,6 +98315,19 @@ interface <dfn interface>Navigator</dfn> {
<li><p>Assert: <var>inputURL</var>'s <span data-x="concept-url-scheme">scheme</span> is
<var>normalizedScheme</var>.</p></li>

<li>
<p>If <var>inputURL</var> <span data-x="concept-url-includes-credentials">includes
credentials</span> then:</p>

<ol>
<li><p><span data-x="set the username">Set the username</span> given <var>inputURL</var> and the
empty string.</p></li>

<li><p><span data-x="set the password">Set the password</span> given <var>inputURL</var> and
the empty string.</p></li>
</ol>
</li>

<li><p>Let <var>inputURLString</var> be the <span
data-x="concept-url-serializer">serialization</span> of <var>inputURL</var>.</p></li>

Expand Down Expand Up @@ -98395,6 +98409,8 @@ interface <dfn interface>Navigator</dfn> {

<ul class="brief">
<li><code data-x="">bitcoin</code></li> <!-- https://en.bitcoin.it/wiki/BIP_0021 -->
<li><code data-x="">ftp</code></li>
<li><code data-x="">ftps</code></li>
<li><code data-x="">geo</code></li>
<li><code data-x="">im</code></li>
<li><code data-x="">irc</code></li>
Expand All @@ -98406,6 +98422,7 @@ interface <dfn interface>Navigator</dfn> {
<li><code data-x="">news</code></li>
<li><code data-x="">nntp</code></li>
<li><code data-x="">openpgp4fpr</code></li>
<li><code data-x="">sftp</code></li>
<li><code data-x="">sip</code></li>
<li><code data-x="">sms</code></li>
<li><code data-x="">smsto</code></li>
Expand Down Expand Up @@ -98495,14 +98512,6 @@ interface <dfn interface>Navigator</dfn> {
allowing administrators to disable custom handlers on certain subdomains, content types, or
schemes.</p>

<p><strong>Leaking credentials.</strong> User agents must never send username or password
information in the URLs that are escaped and included sent to the handler sites. User agents may
even avoid attempting to pass to web-based handlers the URLs of resources that are known to
require authentication to access, as such sites would be unable to access the resources in
question without prompting the user for credentials themselves (a practice that would require the
user to know whether to trust the third-party handler, a decision many users are unable to make or
even understand).</p>

<p><strong>Interface interference.</strong> User agents should be prepared to handle intentionally
long arguments to the methods. For example, if the user interface exposed consists of an "accept"
button and a "deny" button, with the "accept" binding containing the name of the handler, it's
Expand Down

0 comments on commit 18694ba

Please sign in to comment.