10327 – supported URL schemes in open()

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 10327 - supported URL schemes in open()

Summary: supported URL schemes in open()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebAppsWG
Classification:	Unclassified
Component:	XHR (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Anne
QA Contact:	public-webapps-bugzilla

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-08-09 12:34 UTC by Anne
Modified:	2011-12-20 19:44 UTC (History)
CC List:	4 users (show)

See Also:

Attachments

Description Anne 2010-08-09 12:34:28 UTC

I would like to have clearer language for URLs regarding their supported <scheme> component.

I.e. I would like it to be clear from the draft what happens if you use any of the following:

  "mailto:foo@example.org"
  "about:blank"
  "tag:example.org"
  "tel:+316..."
  "data:text/html,..."

My preferred solution would be to throw unless the URL scheme is one of a whitelist which contains:

  http
  https
  ftp
  file (implementation specific, must throw a SYNTAX_ERR if the current scheme is not file)

We can add to this whitelist in the future, such as the blob URL scheme.

Comment 1 Boris Zbarsky 2010-08-09 12:43:46 UTC

I don't see why this whitelist idea is desirable, and doing this would certainly break existing Gecko extension XMLHttpRequest consumers.

Why shouldn't other protocols be supported, exactly?

Comment 2 Anne 2010-08-09 12:49:43 UTC

We could solve this any number of ways, but for non-extension web content it would be good to have a clear answer to what should happen to the example cases I gave (i.e. mailto URLs and such). Having a whitelist makes the answer very simple. Having it open ended does not and could lead to interoperability problems.

Comment 3 Boris Zbarsky 2010-08-09 12:56:02 UTC

Fair enough.

For what it's worth, Gecko's current behavior is that every protocol implementation has an associated boolean flag indicating whether the protocol returns data.  Protocols that do not end up throwing when open() is called on a URI for those protocols.  Unknown protocols are presumed to not return data (since we have no way to get the data).

So for your examples in comment 0, and assuming no extensions that implement additional protocols are installed, we would throw on everything except about: and data:.

Comment 4 Anne 2010-08-09 14:37:31 UTC

Opera and WebKit pass through URLs that are legal and fail at the request layer (i.e. after send() is invoked) for unsupported schemes. Opera supports data URLs.

The concept Mozilla has could work, but a) is not part of URI scheme registry so will be difficult and b) cross-origin requests for web content can only work by virtue of CORS which only works for HTTP.

I think the solution here then is to remove the restriction on schemes in the open() algorithm. If we also remove the non same-origin restriction there it follows naturally that everything fails in the request layer as these URLs are not same-origin and cannot support CORS.

In proprietary environments such as extensions these URLs could still do something useful as presumably CORS is not (always) followed there.

Comment 5 Anne 2010-08-11 11:32:20 UTC

Proposal for CfC: paragraph 3 of comment 4.

Comment 6 Boris Zbarsky 2010-08-11 15:15:57 UTC

That sounds reasonable to me.

Comment 7 Anne 2010-08-26 13:08:31 UTC

Fixed! (Also for redirects.)