Hi folks,

I sent out an 'intent to implement and ship' for adding FTP related schemes to the list of safelisted schemes for use with registerProtocolHandler. I'd like to solicit your opinion on this change.

Thanks,
- Asanka

Summary

Add "ftp", "ftps", and "sftp" to the list of protocols available for registration via registerProtocolHandler(). FTP is now deprecated and will imminently be removed from the codebase. Allowing websites to register themselves as handlers for ftp:// URLs makes it possible to build easy to use gateways for legacy ftp sites. In addition we propose adding related protocols "ftps" and "sftp" to the list. Google Chrome/Chromium was not handling these URL schemes.



Blink component

Blink>HTML>CustomHandlers

Search tags

ftpregisterprotocolhandler

TAG review



TAG review status

Not applicable

Risks



Interoperability and Compatibility



Gecko: Worth prototyping (https://github.com/mozilla/standards-positions/issues/513) Suggested filtering out credentials from outgoing FTP links.

WebKit: N/A Safari does not support `registerProtocolHandler`.

Web developers: Positive (https://bugs.chromium.org/p/chromium/issues/detail?id=333943#c57)

Security

Same as other schemes in registerProtocolHandler. Since ftp was a protocol that used to be supported by the browser, internal ftp links might exist that assume in-browser support in assessing their security risks. A custom protocol handler will necessarily expose ftp URLs to the handler. Registering one may violate administrator assumptions about the URLs not leaving their organization when users click on them.



Is this feature fully tested by web-platform-tests?

No

Flag name



Tracking bug

https://crbug.com/1199027

Link to entry on the Chrome Platform Status

https://www.chromestatus.com/feature/5762628536238080

Links to previous Intent discussions

Intent to Ship: https://groups.google.com/a/chromium.org/g/blink-dev/c/ABhlioapE0E/m/du8Jv9nhAAAJ