This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26876 - Title argument for both registerProtoclHandler() and registerContentHandler() should be removed as i [...]
Summary: Title argument for both registerProtoclHandler() and registerContentHandler()...
Status: RESOLVED WONTFIX
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL: https://html.spec.whatwg.org/#dom-nav...
Whiteboard: blocked awaiting response from annevk...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-22 07:44 UTC by contributor
Modified: 2016-02-05 09:01 UTC (History)
4 users (show)

See Also:

Attachments

Description contributor 2014-09-22 07:44:25 UTC 
Specification: https://html.spec.whatwg.org/multipage/webappapis.html
Multipage: https://html.spec.whatwg.org/multipage/#dom-navigator-registerprotocolhandler
Complete: https://html.spec.whatwg.org/#dom-navigator-registerprotocolhandler
Referrer: https://html.spec.whatwg.org/multipage/

Comment:
Title argument for both registerProtoclHandler() and registerContentHandler()
should be removed as it allows for spoofing. See
https://bugzilla.mozilla.org/show_bug.cgi?id=1056860 The user agent can create
enough UI itself using the origin, desired scheme/type and URL.

Posted from: 46.127.136.57 by annevk@annevk.nl
User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko/20100101 Firefox/35.0
Comment 1 Ian 'Hixie' Hickson 2014-09-22 16:48:08 UTC 
Can you elaborate on how you can make the UI non-ugly without a title? Obviously you shouldn't use the title alone in the UI, that would enable spoofing. But without the title, how would you distinguish multiple services on the same domain?

Consider:

   Google+ Photos      http://www.google.com/photos/upload
   Drive               http://www.google.com/a/annvk.nl/upload
   Google Maps Photos  http://www.google.com/maps/upload

What would your dialog look like? With a title it could be:

   Select a service:

   (o) Google+ Photos
       www.google.com
       http://www.google.com/ph...

   ( ) Drive
       www.google.com
       http://www.google.com/a/...

   ( ) Google Maps Photos
       www.google.com
       http://www.google.com/ma...

   [[ Open ]]

What would you have it look like?
Comment 2 Anne 2014-09-22 16:57:20 UTC 
Basically any kind of UI where the developer controls a string is a problem.

I'm not sure how your specific scenario would work out. It seems we use icons today, so that would still work.
Comment 3 Ian 'Hixie' Hickson 2014-09-23 18:07:16 UTC 
The icons are also under control of the author. How would that be any different? How would you make it accessible?

I don't understand your concern. If the string tries to lie, it's pretty obvious:

   Select a service:

   (o) Facebook
       example.com
       https://example.com/logi...
Comment 4 Anne 2016-02-05 05:05:10 UTC 
Closing this since the bigger problem is that these methods are poorly implemented.
Comment 5 Philip Jägenstedt 2016-02-05 06:54:38 UTC 
Do we have an open issue for that?
Comment 6 Anne 2016-02-05 09:01:12 UTC 
We do now: https://github.com/whatwg/html/issues/630