This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 24091 - Support registerProtocolHandler() and registerContentHandler()
Summary: Support registerProtocolHandler() and registerContentHandler()
Status: RESOLVED MOVED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard: blocked on implementers weighing in
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-13 14:55 UTC by Anne
Modified: 2015-09-28 12:01 UTC (History)
3 users (show)

See Also:


Attachments

Comment 1 Anne 2013-12-13 14:56:19 UTC
A problem would be that

<img src=data:...>

is no longer safe as it could execute a network request if the MIME
type was text/vcard or some such.
Comment 2 Ian 'Hixie' Hickson 2013-12-13 16:58:01 UTC
Why would that not be safe? What's the attack vector?
Comment 3 Anne 2014-01-08 17:45:28 UTC
An intranet could have broken (but harmless) code of the form

  <img src=mailto:test>

This would suddenly start issuing network requests and reveal potentially confidential information to the user's email provider.

I have a hard time thinking of something better, but it seems unexpected and potentially bad to have network requests for things that were just network errors before.
Comment 4 Ian 'Hixie' Hickson 2014-02-07 22:42:27 UTC
If a page has <img src=mailto:test>, it's pretty bogus...
Comment 5 Anne 2014-02-11 13:50:16 UTC
Chrome does not appear to implement registerContentHandler() and Gecko does not appear to implement these for fetching (just navigation). I could define these but interest seems limited.
Comment 6 Adam Barth 2014-07-16 17:04:17 UTC
IMHO, we shouldn't worry about <img src=mailto:test>.  That's unlikely to be a problem in practice.  I'm less sure about content handlers and data URLs...
Comment 7 Anne 2014-08-05 10:59:36 UTC
Adam, but should we make it work at all? I think I'd rather have these only take effect during navigation. That seems much more intuitive.