26876 2014-09-22 07:44:25 +0000 Title argument for both registerProtoclHandler() and registerContentHandler() should be removed as i [...] 2016-02-05 09:01:12 +0000 1 1 1 Unclassified WHATWG HTML unspecified Other other RESOLVED WONTFIX https://html.spec.whatwg.org/#dom-navigator-registerprotocolhandler blocked awaiting response from annevk to comment 3 (please remove this when replying) P3 normal Unsorted 1 contributor ian annevk ian mike philipj contributor oldest_to_newest 111899 0 contributor 2014-09-22 07:44:25 +0000 Specification: https://html.spec.whatwg.org/multipage/webappapis.html Multipage: https://html.spec.whatwg.org/multipage/#dom-navigator-registerprotocolhandler Complete: https://html.spec.whatwg.org/#dom-navigator-registerprotocolhandler Referrer: https://html.spec.whatwg.org/multipage/ Comment: Title argument for both registerProtoclHandler() and registerContentHandler() should be removed as it allows for spoofing. See https://bugzilla.mozilla.org/show_bug.cgi?id=1056860 The user agent can create enough UI itself using the origin, desired scheme/type and URL. Posted from: 46.127.136.57 by annevk@annevk.nl User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko/20100101 Firefox/35.0 111929 1 ian 2014-09-22 16:48:08 +0000 Can you elaborate on how you can make the UI non-ugly without a title? Obviously you shouldn't use the title alone in the UI, that would enable spoofing. But without the title, how would you distinguish multiple services on the same domain? Consider: Google+ Photos http://www.google.com/photos/upload Drive http://www.google.com/a/annvk.nl/upload Google Maps Photos http://www.google.com/maps/upload What would your dialog look like? With a title it could be: Select a service: (o) Google+ Photos www.google.com http://www.google.com/ph... ( ) Drive www.google.com http://www.google.com/a/... ( ) Google Maps Photos www.google.com http://www.google.com/ma... [[ Open ]] What would you have it look like? 111933 2 annevk 2014-09-22 16:57:20 +0000 Basically any kind of UI where the developer controls a string is a problem. I'm not sure how your specific scenario would work out. It seems we use icons today, so that would still work. 112036 3 ian 2014-09-23 18:07:16 +0000 The icons are also under control of the author. How would that be any different? How would you make it accessible? I don't understand your concern. If the string tries to lie, it's pretty obvious: Select a service: (o) Facebook example.com https://example.com/logi... 124851 4 annevk 2016-02-05 05:05:10 +0000 Closing this since the bigger problem is that these methods are poorly implemented. 124853 5 philipj 2016-02-05 06:54:38 +0000 Do we have an open issue for that? 124857 6 annevk 2016-02-05 09:01:12 +0000 We do now: https://github.com/whatwg/html/issues/630