[Webkit-unassigned] [Bug 229490] Invalid URL are treated as valid in navigator.canShare()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 25 23:38:06 PDT 2021


--- Comment #4 from Marcos Caceres <marcos at marcosc.com> ---
(In reply to Alex Christensen from comment #3)
> I think the relevant sentence in the spec is this:
> "If |url| is a URL the user agent deems potentially hostile (e.g., "file:")
> or wouldn't make sense to outside the scope of the document (e.g., "blob:"),
> return false."
> from https://w3c.github.io/web-share/

Yes, I added that a few days ago - but it's a bit of a stop-gap for the reason you mention: 

> I'm wondering why Edge and the web platform tests think that include data
> URLs.  They make sense outside the scope of the document and it's a
> judgement call as to whether the user agent deems them potentially hostile.

I made the following proposal: 

Disallow sharing to "local scheme" ("about", "blob", or "data"), file, and "javascript", and any other scheme the UA doesn't want to share (e.g., internal "moz-icon:" or whatever).

Allow sharing HTTP(S) scheme and, optionally, any of the "safe-listed schemes".

That should give us broad coverage, while allowing the UA to retain control over what's actually shared, while excluding the "bad ones".

"safe-listed schemes" are:

That's basically what I implemented in Gecko.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210826/80ce417a/attachment.htm>

More information about the webkit-unassigned mailing list