[Webkit-unassigned] [Bug 229490] Invalid URL are treated as valid in navigator.canShare()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 25 23:38:06 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=229490
--- Comment #4 from Marcos Caceres <marcos at marcosc.com> ---
(In reply to Alex Christensen from comment #3)
> I think the relevant sentence in the spec is this:
> "If |url| is a URL the user agent deems potentially hostile (e.g., "file:")
> or wouldn't make sense to outside the scope of the document (e.g., "blob:"),
> return false."
> from https://w3c.github.io/web-share/
Yes, I added that a few days ago - but it's a bit of a stop-gap for the reason you mention:
> I'm wondering why Edge and the web platform tests think that include data
> URLs. They make sense outside the scope of the document and it's a
> judgement call as to whether the user agent deems them potentially hostile.
I made the following proposal:
https://github.com/w3c/web-share/issues/178#issuecomment-904241285
"""
Disallow sharing to "local scheme" ("about", "blob", or "data"), file, and "javascript", and any other scheme the UA doesn't want to share (e.g., internal "moz-icon:" or whatever).
Allow sharing HTTP(S) scheme and, optionally, any of the "safe-listed schemes".
That should give us broad coverage, while allowing the UA to retain control over what's actually shared, while excluding the "bad ones".
"""
"safe-listed schemes" are:
https://html.spec.whatwg.org/#safelisted-scheme
That's basically what I implemented in Gecko.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210826/80ce417a/attachment.htm>
More information about the webkit-unassigned
mailing list