-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adjust web+ scheme security considerations to account for FTP removal
Also, network scheme is now reduced to HTTP(S) scheme. Helps with #5375, but form submission issue remains. See whatwg/fetch#1166 for context.
- Loading branch information
Showing
1 changed file
with
4 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2495,7 +2495,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute | |
| <li><dfn><code>about:blank</code></dfn></li> | ||
| <li>An <dfn data-x-href="https://fetch.spec.whatwg.org/#http-scheme">HTTP(S) scheme</dfn></li> | ||
| <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#local-scheme">local scheme</dfn></li> | ||
| <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#network-scheme">network scheme</dfn></li> | ||
| <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-scheme">fetch scheme</dfn></li> | ||
| <li><dfn data-x-href="https://fetch.spec.whatwg.org/#http-cors-protocol">CORS protocol</dfn></li> | ||
| <li><dfn data-x="default-user-agent-value" data-x-href="https://fetch.spec.whatwg.org/#default-user-agent-value">default `<code>User-Agent</code>` value</dfn></li> | ||
|
|
@@ -9252,7 +9251,7 @@ partial interface <dfn id="document" data-lt="">Document</dfn> { | |
| context</span> is null.</li> | ||
|
|
||
| <li>A <code>Document</code> whose <span data-x="concept-document-url">URL</span>'s <span | ||
| data-x="concept-url-scheme">scheme</span> is not a <span>network scheme</span>.</li> | ||
| data-x="concept-url-scheme">scheme</span> is not an <span>HTTP(S) scheme</span>.</li> | ||
|
|
||
| </ul> | ||
|
|
||
|
|
@@ -117970,16 +117969,13 @@ interface <dfn>MimeType</dfn> { | |
| <dd>Scheme-specific.</dd> | ||
| <dt>Interoperability considerations:</dt> | ||
| <dd>The scheme is expected to be used in the context of web applications.</dd> | ||
| <!--ADD-TOPIC:Security--> | ||
| <dt>Security considerations:</dt> | ||
| <dd> | ||
| Any web page is able to register a handler for all "<code data-x="">web+</code>" schemes. As | ||
| such, these schemes must not be used for features intended to be core platform features (e.g. | ||
| network transfer protocols like HTTP or FTP). Similarly, such schemes must not store | ||
| confidential information in their URLs, such as usernames, passwords, personal information, or | ||
| confidential project names. | ||
| such, these schemes must not be used for features intended to be core platform features (e.g., | ||
| HTTP). Similarly, such schemes must not store confidential information in their URLs, such as | ||
| usernames, passwords, personal information, or confidential project names. | ||
| </dd> | ||
| <!--REMOVE-TOPIC:Security--> | ||
| <dt>Contact:</dt> | ||
| <dd>Ian Hickson <[email protected]></dd> | ||
| <dt>Change controller:</dt> | ||
|
|
||