Skip to content

Commit

Permalink
Add FTP-related protocols to the registerProtocolHandler safelist
Browse files Browse the repository at this point in the history
Closes #6583.

This also adds normative steps to strip out the username and password components of the URL before passing it to the handler.
  • Loading branch information
asankah authored Feb 14, 2022
1 parent 0898ef9 commit 5b01d31
Showing 1 changed file with 10 additions and 8 deletions.
18 changes: 10 additions & 8 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -98451,6 +98451,12 @@ interface <dfn interface>Navigator</dfn> {
<li><p>Assert: <var>inputURL</var>'s <span data-x="concept-url-scheme">scheme</span> is
<var>normalizedScheme</var>.</p></li>

<li><p><span data-x="set the username">Set the username</span> given <var>inputURL</var> and
the empty string.</p></li>

<li><p><span data-x="set the password">Set the password</span> given <var>inputURL</var> and
the empty string.</p></li>

<li><p>Let <var>inputURLString</var> be the <span
data-x="concept-url-serializer">serialization</span> of <var>inputURL</var>.</p></li>

Expand Down Expand Up @@ -98532,6 +98538,8 @@ interface <dfn interface>Navigator</dfn> {

<ul class="brief">
<li><code data-x="">bitcoin</code></li> <!-- https://en.bitcoin.it/wiki/BIP_0021 -->
<li><code data-x="">ftp</code></li>
<li><code data-x="">ftps</code></li>
<li><code data-x="">geo</code></li>
<li><code data-x="">im</code></li>
<li><code data-x="">irc</code></li>
Expand All @@ -98543,6 +98551,7 @@ interface <dfn interface>Navigator</dfn> {
<li><code data-x="">news</code></li>
<li><code data-x="">nntp</code></li>
<li><code data-x="">openpgp4fpr</code></li>
<li><code data-x="">sftp</code></li>
<li><code data-x="">sip</code></li>
<li><code data-x="">sms</code></li>
<li><code data-x="">smsto</code></li>
Expand Down Expand Up @@ -98632,14 +98641,6 @@ interface <dfn interface>Navigator</dfn> {
allowing administrators to disable custom handlers on certain subdomains, content types, or
schemes.</p>

<p><strong>Leaking credentials.</strong> User agents must never send username or password
information in the URLs that are escaped and included sent to the handler sites. User agents may
even avoid attempting to pass to web-based handlers the URLs of resources that are known to
require authentication to access, as such sites would be unable to access the resources in
question without prompting the user for credentials themselves (a practice that would require the
user to know whether to trust the third-party handler, a decision many users are unable to make or
even understand).</p>

<p><strong>Interface interference.</strong> User agents should be prepared to handle intentionally
long arguments to the methods. For example, if the user interface exposed consists of an "accept"
button and a "deny" button, with the "accept" binding containing the name of the handler, it's
Expand Down Expand Up @@ -127667,6 +127668,7 @@ INSERT INTERFACES HERE
Arthur Stolyar,
Arun Patole,
Aryeh Gregor,
Asanka Herath,
Asbj&oslash;rn Ulsberg,
Ashley Gullen,
Ashley Sheridan,
Expand Down

0 comments on commit 5b01d31

Please sign in to comment.