Re: Gen-ART Telechat review of draft-ietf-appsawg-about-uri-scheme-05
S Moonesamy <sm+ietf@elandsys.com> Mon, 04 June 2012 17:22 UTC
Return-Path: <sm@elandsys.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E519C11E8088; Mon, 4 Jun 2012 10:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.562
X-Spam-Level:
X-Spam-Status: No, score=-102.562 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Pi4OkpL9Fpn; Mon, 4 Jun 2012 10:22:05 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C1121F845F; Mon, 4 Jun 2012 10:22:05 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([41.136.236.146]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id q54HLkDh027717 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 4 Jun 2012 10:21:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1338830521; i=@elandsys.com; bh=ZICT4SsNKoebjID3Jr4J6G6YKzLiu7w9knpVKol53QA=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=GftnKy+PrvXqCGP4WfDH5JM8fuYuDIXOehj3FyhecmcoqZf19MNvmb7t8GQYntb02 tPw3WrNsf/M1DlzmNhQ76ydkZ+cPOJ/QLn7IOyzfkwWQWKVa7tinvX2BMXtOhr0I/Z onhp34NwPij92ni3xE5CXsWmtKwFhapWmHxllP4A=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1338830521; i=@elandsys.com; bh=ZICT4SsNKoebjID3Jr4J6G6YKzLiu7w9knpVKol53QA=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=1NySZBjGptjCil2uTxP6wdxAF/Uz5oJysiyReUANhxGAGVUbiscpraV77SycgwYjQ lEl+hzRcw7HwonMsLsdwWUFLvGpjgjGxCwSOIXFkmczL+xSRHK54HLORx0ExDdvlTq g7Ai5Wz2KjPlpoa9SEvjD2mV4EgaRJR5Mddr9viw=
Message-Id: <6.2.5.6.2.20120604072443.098cdc28@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 04 Jun 2012 10:00:38 -0700
To: "Richard L. Barnes" <rbarnes@bbn.com>, IESG <iesg@ietf.org>
From: S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: Gen-ART Telechat review of draft-ietf-appsawg-about-uri-scheme-05
In-Reply-To: <196B9066-2934-443D-B642-997BDF57948E@bbn.com>
References: <196B9066-2934-443D-B642-997BDF57948E@bbn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Mailman-Approved-At: Tue, 05 Jun 2012 09:29:28 -0700
Cc: gen-art@ietf.org, ietf@ietf.org, apps-discuss@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2012 17:22:08 -0000
Hi Richard,
Thanks for the review. This is an individual comment.
At 05:33 04-06-2012, Richard L. Barnes wrote:
>I wonder how useful this document is, given that the use of "about:"
>URIs is currently very inconsistent across browsers. (See, for
>example, <http://en.wikipedia.org/wiki/About_URI_scheme>) Some
>browsers also use alternative URI schemes for essentially the same
>function ("opera:", "chrome:"). Has there been input from the
>browser vendor community on this document?
One of the editors of draft-ietf-appsawg-about-uri-scheme-04
affiliated with Opera Software ASA provided input about the draft.
The Wikipedia article mentions that it needs additional citations for
verification. Although the "about" URI scheme is well-known, it has
never been registered. The document describes the URI scheme and
registers it in the "URI Schemes". The document does not seek to
impose any requirement. It leaves it to browser vendors to decide
what to do.
>4.
>The document correctly notes that "about:" URIs sometimes point to
>sensitive data, and that browsers need to protect them. However,
>the document fails to specify what the threats are and how to
>mitigate them. It seems to me that the major risk is cross-site
>scripting, in the sense that a remote web page might include an
>"about:" URI (e.g., via an XMLHttpRequest) in order to access
>sensitive data. At a high level, then, the mitigation would be to
>ensure that such URIs are accessible only as a result of direct user
>action (e.g., typing in a URI) or trusted browser code (e.g., extensions).
Section 4 of draft-ietf-appsawg-about-uri-scheme-06 mentions that
"about" URIs may be used to reference, for example, user passwords
stored in a cache. The document does not register such a token
though. It leaves it to person with expertise to write the
specification about that token to consider the security
implications. Adding text to discuss about cross-site scripting
might be misconstrued as a recommendation.
Regards,
S. Moonesamy
- Gen-ART Telechat review of draft-ietf-appsawg-abo… Richard L. Barnes
- Re: Gen-ART Telechat review of draft-ietf-appsawg… S Moonesamy