Re: Last Call: <draft-holsten-about-uri-scheme-06.txt> (The 'about' URI scheme) to Proposed Standard
Boris Zbarsky <bzbarsky@MIT.EDU> Fri, 17 June 2011 16:53 UTC
Return-Path: <bzbarsky@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD08011E8210 for <ietf@ietfa.amsl.com>; Fri, 17 Jun 2011 09:53:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.800, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_16=0.6, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-rrC+Pe4tYz for <ietf@ietfa.amsl.com>; Fri, 17 Jun 2011 09:53:56 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (DMZ-MAILSEC-SCANNER-3.MIT.EDU [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id 0841C11E820E for <ietf@ietf.org>; Fri, 17 Jun 2011 09:53:54 -0700 (PDT)
X-AuditID: 1209190e-b7c39ae000000a8c-72-4dfb868d998f
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id C3.B1.02700.D868BFD4; Fri, 17 Jun 2011 12:53:33 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id p5HGrrLR026700; Fri, 17 Jun 2011 12:53:53 -0400
Received: from Boris-Zbarskys-MacBook-Pro-2.local (pool-71-184-125-56.bstnma.fios.verizon.net [71.184.125.56]) (authenticated bits=0) (User authenticated as bzbarsky@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id p5HGrpYm027980 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Fri, 17 Jun 2011 12:53:53 -0400 (EDT)
Message-ID: <4DFB869F.4050401@mit.edu>
Date: Fri, 17 Jun 2011 12:53:51 -0400
From: Boris Zbarsky <bzbarsky@MIT.EDU>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Subject: Re: Last Call: <draft-holsten-about-uri-scheme-06.txt> (The 'about' URI scheme) to Proposed Standard
References: <4D3A64FF.1020000@mit.edu> <4DF87637.2000301@gmail.com> <4DF8D6C6.5080005@mit.edu> <4DF9C5EE.9010703@lachy.id.au> <4DFAD1F6.70203@gmail.com> <4DFAD8CD.2030402@mit.edu> <4DFB39A6.5050105@lachy.id.au>
In-Reply-To: <4DFB39A6.5050105@lachy.id.au>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFIsWRmVeSWpSXmKPExsUixG6nrtvb9tvXoPM/l8WzjfNZLNbN/Mbs wOSxZMlPJo95hzqZA5iiuGxSUnMyy1KL9O0SuDKWH/vCXNAkWTF1yQa2BsZ7Ql2MnBwSAiYS d/49YoWwxSQu3FvP1sXIxSEksI9RYsuFaawQzgZGiTOfDjFBOK+YJA4/n8cO0sIroCbRtKGV EcRmEVCV6D8zGWwUG1D8/ulGJhBbVKBQYsb3mYwQ9YISJ2c+YQGxRQS0JR697QKrYRZQlvgy 5w0biC0skC/Rsh7mjEuMEqt3TARbxgnU8Hv6e2aIBjOJrq1djBC2vMT2t3OYJzAKzkKyYxaS sllIyhYwMq9ilE3JrdLNTczMKU5N1i1OTszLSy3SNdbLzSzRS00p3cQICmJOSb4djF8PKh1i FOBgVOLhXVDw21eINbGsuDL3EKMkB5OSKK96E1CILyk/pTIjsTgjvqg0J7X4EKMEB7OSCO95 M6Acb0piZVVqUT5MSpqDRUmcd6akuq+QQHpiSWp2ampBahFMVoaDQ0mCVw0YrUKCRanpqRVp mTklCGkmDk6Q4TxAwwNAaniLCxJzizPTIfKnGBWlxHldQBICIImM0jy4XliSecUoDvSKMK8K SBUPMEHBdb8CGswENPjfr18gg0sSEVJSDYxCmfH3M+wbL3n5nThzjHOHybTgk+m7r4hm7y/u +cJ/5dHyB40Z2+ft0P3L5RC+rqOr4sfdhxvOmTg9ehHw9anbtd7z5k+vWvyOn7K3/KiHZ/X0 26Ud2xYUh9VWqE7f/fNJxNLqTtd5M07MFIljqT0UM/erteP+OZPWVS+Lk6lkWDP7heMt8XRb JZbijERDLeai4kQA60Iraw0DAAA=
X-Mailman-Approved-At: Mon, 20 Jun 2011 07:34:06 -0700
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2011 16:53:56 -0000
On 6/17/11 7:25 AM, Lachlan Hunt wrote: > On 2011-06-17 06:32, Boris Zbarsky wrote: >> On 6/17/11 12:03 AM, Mykyta Yevstifeyev wrote: >>>>> not >>>>> clearly compatible with the web security model, >>> How? >> >> "about:blank" in particular is magic with respect to security on the web >> in various ways (e.g. it can end up same-origin with http:// pages). So >> I think we do need to specify exactly when this magic security behavior >> takes place. > > The spec is not meant to imply that the special same-origin behaviour > for about:blank is to be inherited by any other about URI, even if other > URIs also return a blank document. Perhaps, I need to make that clearer > in the spec. Yes, but is it meant to be inherited by "about:blan%6b" ? That's the issue that needs sorting out in terms of normalization, for example. The current spec draft explicitly says that "about:blan%6b" and "about:blank" are equivalent. I just did some testing on that, since it looks like it won't happen otherwise. You can see the testcase I used at the end of the mail. Results are: Gecko all versions: URI not loaded at all Chrome 11 stable: document URI is still shown as escaped, security magic is done Chrome 14 dev: same as Chrome 11 stable WebKit tip: same as Chrome 11 stable Safari 5: same as Chrome 11 stable Opera 11.11: URI not loaded at all (or at least the subframe's load event doesn't fire). IE9: Loads error page in the subframe and alerts an access denied error. This is the same in stadards, IE8, IE7, and quirks modes (though the textual representation of the error varies). I didn't bother testing older Opera versions; if someone cares please feel free to do so. Note that some browsers have behavior that differs between iframes and the url bar. For the url bar, I observe the following behaviors for "about:blan%6b": Firefox all versions: alert saying the URI is invalid and cannot be loaded. Chrome 11: URL bar shows "about:blank", content area shows a blank document. Chrome 14: redirects to chrome://blank which then gives an "invalid URI" error page WebKit tip: URL bar shows "about:blan%6b", content area shows a blank document. Safari 5: As WebKit tip. Opera 11.11: Redirects to "opera:blank" which gives an "Invalid address" error page. IE9: URL bar shows "about:blan%6b" and an error page is shown. So it could be argued that Chrome 11, WebKit tip, and Safari 5 do what the spec currently calls for. No other browser does. And Chrome 14 is inconsistent in how it handles this URI depending on the context it's encountered in. -Boris Testcase: <!DOCTYPE HTML> <body> <iframe id="iframe"></iframe> <script> var i; onload = function() { i = document.getElementById("iframe"); i.onload = function() { try { alert(this.contentDocument.documentURI); alert(this.contentDocument.documentElement); } catch(e) { alert(e); } } i.src = "about:blan%6b"; } </script> </body>
- Re: Last Call: <draft-holsten-about-uri-scheme-06… SM
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Ted Hardie
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Mykyta Yevstifeyev
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… t.petch
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Ted Hardie
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Ted Hardie
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Last Call: <draft-holsten-about-uri-scheme-06.txt… Boris Zbarsky
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Ted Hardie
- Re: Last Call: <draft-holsten-about-uri-scheme-06… SM
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Mykyta Yevstifeyev
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Mykyta Yevstifeyev
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Andrew Sullivan
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Joel M. Halpern
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Lachlan Hunt
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Lachlan Hunt
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Boris Zbarsky
- Re: Last Call: <draft-holsten-about-uri-scheme-06… John C Klensin
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Mykyta Yevstifeyev
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Mykyta Yevstifeyev
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Barry Leiba
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Mykyta Yevstifeyev
- RE: Last Call: <draft-holsten-about-uri-scheme-06… Murray S. Kucherawy
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Eliot Lear
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Lachlan Hunt
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Michael Richardson
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Barry Leiba
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Boris Zbarsky
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Boris Zbarsky
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Julian Reschke
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Boris Zbarsky
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Mykyta Yevstifeyev
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Lachlan Hunt
- Re: Last Call: <draft-holsten-about-uri-scheme-06… Mykyta Yevstifeyev