Gen-ART Telechat review of draft-ietf-appsawg-about-uri-scheme-05
Richard L. Barnes <rbarnes@bbn.com> Mon, 04 June 2012 12:33 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 484D121F8724; Mon, 4 Jun 2012 05:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UoveCkfK1DfS; Mon, 4 Jun 2012 05:33:41 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id B089321F871C; Mon, 4 Jun 2012 05:33:41 -0700 (PDT)
Received: from ros-dhcp192-1-51-6.bbn.com ([192.1.51.6]:59859) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1SbWT4-0003ZQ-Qa; Mon, 04 Jun 2012 08:33:06 -0400
From: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Gen-ART Telechat review of draft-ietf-appsawg-about-uri-scheme-05
Date: Mon, 04 Jun 2012 08:33:40 -0400
Message-Id: <196B9066-2934-443D-B642-997BDF57948E@bbn.com>
To: ietf@ietf.org, IESG <iesg@ietf.org>, gen-art@ietf.org
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2012 12:33:43 -0000
I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments
you may receive.
Document: draft-ietf-appsawg-about-uri-scheme-05
Reviewer: Richard Barnes
Review Date: Jun-04-2012
IETF LC End Date: Not known
IESG Telechat date: Jun-07-2012
Summary: Almost ready, couple of questions
MAJOR:
*.
I wonder how useful this document is, given that the use of "about:" URIs is currently very inconsistent across browsers. (See, for example, <http://en.wikipedia.org/wiki/About_URI_scheme>) Some browsers also use alternative URI schemes for essentially the same function ("opera:", "chrome:"). Has there been input from the browser vendor community on this document?
4.
The document correctly notes that "about:" URIs sometimes point to sensitive data, and that browsers need to protect them. However, the document fails to specify what the threats are and how to mitigate them. It seems to me that the major risk is cross-site scripting, in the sense that a remote web page might include an "about:" URI (e.g., via an XMLHttpRequest) in order to access sensitive data. At a high level, then, the mitigation would be to ensure that such URIs are accessible only as a result of direct user action (e.g., typing in a URI) or trusted browser code (e.g., extensions).
- Gen-ART Telechat review of draft-ietf-appsawg-abo… Richard L. Barnes
- Re: Gen-ART Telechat review of draft-ietf-appsawg… S Moonesamy