From webkit-dev Thu Nov 21 19:52:13 2019 From: Maciej Stachowiak Date: Thu, 21 Nov 2019 19:52:13 +0000 To: webkit-dev Subject: Re: [webkit-dev] WebKit team feedback on proposal to limit registerProtocolHandler API to secure con Message-Id: <1598F707-5DAC-4EEE-95DE-B8F9BF8D990D () apple ! com> X-MARC-Message: https://marc.info/?l=webkit-dev&m=157436608107143 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============0851225490==" --===============0851225490== Content-type: multipart/alternative; boundary="Apple-Mail=_2050BD5C-1AA4-4FFA-9B48-3046383BE4A2" --Apple-Mail=_2050BD5C-1AA4-4FFA-9B48-3046383BE4A2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Eric, Thanks for asking for our input. I=E2=80=99ve discussed this with = experts on this area at Apple. WebKit does not currently support = `registerProtocolHander` and likely will not. It=E2=80=99s a powerful = capability, and hard to use sensibly in practice (except perhaps the = `mailto:` scheme in particular). Even opening a URL with a custom URL = scheme is a dangerous powerful capability that we=E2=80=99ve gated with = a permission in Safari (in addition to banning specific extra-dangerous = schemes). Apple=E2=80=99s Universal Links and Android App Links seem = like a better technical solution for links that link sometimes to = websites and sometimes to native apps. All that said, if `registerProtocolHandler` is implemented at all, it = seems better to limit it to secure contexts. It might be worth reviewing = what schemes get registered to see if it=E2=80=99s possible to limit to = a very short known-safe list. Regards, Maciej > On Nov 20, 2019, at 9:12 AM, Eric Lawrence = wrote: >=20 > The Blink team has requested that I inquire whether the WebKit team = has a point-of-view about the upcoming change to limit HTML's = registerProtocolHandler API to use from secure contexts: = https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/1AOWqzgFQ= iw = . This will disallow use of that API from non-secure (HTTP) = contexts. >=20 > As I understand it, Safari does not implement the = registerProtocolHandler API. In the past, WebKit contained the IDL for = the API in (WebCore::NavigatorContentUtils::registerProtocolHandler), > but this was removed earlier this year: = https://trac.webkit.org/changeset/243433/webkit = . >=20 > Would anyone from WebKit like to express support or objection to the = Blink I2I? > _______________________________________________ > webkit-dev mailing list > webkit-dev@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-dev --Apple-Mail=_2050BD5C-1AA4-4FFA-9B48-3046383BE4A2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

Hi Eric,

Thanks for asking for our input. I=E2=80=99= ve discussed this with experts on this area at Apple. WebKit does not = currently support `registerProtocolHander` and likely will not. It=E2=80=99= s a powerful capability, and hard to use sensibly in practice (except = perhaps the `mailto:` scheme in particular). Even opening a URL with a = custom URL scheme is a dangerous powerful capability that we=E2=80=99ve = gated with a permission in Safari (in addition to banning specific = extra-dangerous schemes). Apple=E2=80=99s Universal Links and Android = App Links seem like a better technical solution for links that link = sometimes to websites and sometimes to native apps.

All that said, if = `registerProtocolHandler` is implemented at all, it seems better to = limit it to secure contexts. It might be worth reviewing what schemes = get registered to see if it=E2=80=99s possible to limit to a very short = known-safe list.

Regards,
Maciej


On Nov 20, 2019, at 9:12 AM, = Eric Lawrence <elawrence@chromium.org> wrote:

The Blink team has requested that I inquire = whether the WebKit team has a point-of-view about the upcoming change to = limit HTML's registerProtocolHandler API to use from secure = contexts: https://groups.google.com/a/chromium.org/forum/#!topic/blink-de= v/1AOWqzgFQiw. This will disallow use of that API from non-secure = (HTTP) contexts.

As I understand it, Safari does not implement = the registerProtocolHandler API. In the past, WebKit contained the IDL = for the API in (WebCore::NavigatorContentUtils::registerProtocolHandler),
but this = was removed earlier this year: https://trac.webkit.org/changeset/243433/webkit.

Would anyone from WebKit = like to express support or objection to the Blink I2I?
_______________________________________________
webkit-dev = mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

= --Apple-Mail=_2050BD5C-1AA4-4FFA-9B48-3046383BE4A2-- --===============0851225490== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev --===============0851225490==--