Consider a blocklist for schemes instead of a safelist #3998
Comments
|
I just saw this comment on #1829:
Is that true? That should make it much easier to switch over to a blacklist. I'm quite in favour of doing this. I'd like to know what the security concerns are with opening up all possible schemes, other than a small set of "special" schemes. I would imagine the blacklist would include just schemes that are treated specially by the browser (which we wouldn't want web applications to "steal" links to). This would roughly correspond to the special schemes defined in [URL], but not gopher which I don't believe any modern browser deals with. So:
Plus a few other important schemes like "javascript", "data", "blob", "filesystem", "about". User agents should be allowed to add new schemes to the blacklist, for example, Chrome would block "chrome" (otherwise it would wreak havoc if a site took over all the "chrome:" URLs, which are Chrome's alias for "about"). But for any scheme that isn't special to web browsers, I don't see a security reason not to let sites (with the user's concent) handle those links. |
|
In addition to special schemes, we should also blocklist any scheme containing a I'd also suggest blocklisting "localhost" and "localdomain", and any scheme consisting entirely of numbers. |
|
A blocklist with additional user-agent-specific entries seems rather bad. It also seems bad that it would seemingly prevent adding a new scheme like |
|
As far as I can tell Firefox uses a safelist. (I cannot find a C++ implementation of that function, and indeed I find some hints that they call the JS implementation from the code backing their IDL.) @annevk has enumerated a few issues with a blocklist, although none are insurmountable. To summarize my thoughts: Future expansionIt's possible that browsers may want to add native support for more schemes in the future. It seems unlikely we'll take on the pain of another http -> https transition any time soon, but browsers may want to support other protocols natively for other features (e.g. the various distributed schemes from #3080, if the distributed web folks succeed in making their project mainstream). Indeed, some browsers (e.g. Beaker) do support distributed web schemes natively. I'm not sure what But maybe such conflicts are OK! In such instances, a browser will change the meaning of an existing scheme in the wild. That's true whether we allow it in Basically I'm saying that adding a new scheme already requires a careful survey of the ecosystem, and registerProtocolHandler doesn't change that too much. User-agent-specific entriesThis is not great, but it seems like an area where we may want to accept non-interop for the sake of flexibility. Again browsers would be effectively compat-constrained in how they extend the blocklist. Alternately we could try taking a union of all existing schemes in internal use. It's worth pointing out that although registerProtocolHandler affects navigation via |
|
Some of the blocklist vs. safelist discussion happened in #1829 (comment). Let's try to use this thread going forward. I'm reasonably convinced by @mgiuca's points there, plus my above musings. @annevk, how do you feel? @jonathanKingston, you were working on this area in Firefox recently---thoughts? |
|
Yup. I'm also in favor of a blocklist. I think neither an allowlist nor a blocklist absolves from the need to deal with revoking a scheme that was previously available for registration. In the case of experimental protocols, it's likely part of an explicit goal as stated elsewhere. Also provisional scheme registrations can help with discoverability of schemes that are reserved by various UAs or be in conflict with someone else's use case. cc @mikewest @noncombatant FYI |
|
Thanks @domenic for a detailed analysis.
This is true, but it would be pretty confusing if typing "chrome:version" into the address bar opened Chrome's internal version page, while clicking a "chrome:version" link opened a web page that had registered for the Chrome scheme. It's probably best to allow browsers to block this type of link, as Chrome currently does.
Yeah. We should assume that any scheme popular enough to warrant a website that handles all of its links could end up being something that browsers want to handle natively. This will be true regardless of whether we have a whitelist or blacklist. (Presumably the popular new protocol that the future browsers want to implement will be one of the ones whitelisted.) So either way, we should plan for a scenario where some future scheme X is (whitelisted|not blacklisted) and a browser wants to support it natively.
I think so. If a browser wants to natively handle a future scheme X that is (whitelisted|not blacklisted), it has three choices:
For "chrome" URLs, I think Chrome would choose Option 1. Same if a new protocol became so ubiquitous (like "https") that it's always considered the domain of the browser. But for most protocols, browsers would generally go with Option 3. There isn't even any need to spec this. Because it relates to the browser UI (not in-page UI), it's automatically a user agent choice. Right now, I could make a browser that doesn't allow a site to register "mailto" because I have my own email client built into the browser. The spec says: "User agents may, within the constraints described in this section, do whatever they like when the method is called. A UA could, for instance, prompt the user and offer the user the opportunity to add the site to a shortlist of handlers, or make the handlers their default, or cancel the request. UAs could provide such a UI through modal UI or through a non-modal transient notification interface. UAs could also simply silently collect the information, providing it only when relevant to the user." So browsers are not required to do anything when a site registers a protocol handler. Furthermore, browsers already have UI to deal with conflicts between website-registered protocol handlers, and so-called "external" protocol handlers registered at the OS level. The issue of a conflict between a future website-registered handler and an in-browser handler is no more complex than what we already deal with. In light of this, I don't see any future-proofing issues from switching to a blocklist.
That's a slightly different argument, because you're talking about how a browser might override an OS-registered handler with its own internal implementation. Which is true, but it's nothing to do with web standards since neither side of that is being registered by this API. I think it's more relevant to consider the clash between website-registered and OS-registered handlers as a precedent. |
|
I don't have strong opinions about registering protocol handlers and I'm happy to defer to y'all on the underlying question of allow vs. block, except insofar as registration must be under user control, and they must exclude the kinds of schemes that the browser does interesting things with (because I'm sure we make all kinds of assumptions in various bits and pieces of our codebase that assumes we control these kinds of URLs completely). Skimming through Chrome's codebase, that list might include things like:
I doubt that's an exhaustive list.
I'd be much less upset about allowing sites to take over |
I don't think this needs to be in the spec. As I said above, user agents can ignore any registration they want, so I think it's up to each user agent to block the things they care about (though this can be mentioned as a security consideration in the spec). +1 to allowing sites to act as FTP clients and removing FTP support (eventually). (We'll need some kind of sockets API first!) |
I don't think this is really true. This is true if you have the market share of Chrome, but it's much less true if you have the market share of say, Servo. Servo could end up having to reuse Chrome's blocklisted schemes for its purposes and be forced to reverse engineer those. I'd much rather enumerate those schemes so it's clearer what ends up being reliable across user agents. |
|
What's the current of this issue? Skimming the discussion, it sounds like most of you are in favor of a blocklist instead of a safelist. Is it just a matter of now determining what that blocklist should contain? |
|
It would be good to have someone from Mozilla chime in on whether a blocklist is acceptable to them, as the other implementer of registerProtocolHandler. |
|
I haven't seen mention of the IANA registry at https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml explicitly referenced by the URL spec at https://url.spec.whatwg.org/#url-scheme-string. Is there a reason not to stick to a safelist and defer to that registry? (And the "web+WHATEVER" escape-hatch seems like it would allow for experimentation prior to gaining a registration.) One wrinkle from a Mozilla perspective right now is that the very experimental https://github.com/mozilla/libdweb project is providing a means for WebExtensions to register and show the custom scheme in the address bar (without involving a redirect). While I think there are various discussions that need to happen with the Security UX people before anything like that would ship, such an approach means spoofing concerns do become an issue and a safelist becomes favorable. Especially when the safelist comes with metadata that allows us to more easily provide human readable explanations of what permission the WebExtension is asking for. |
|
If we intend for the list to be an actual security mechanism, then only a safelist can act as such. Anything less, such as a blocklist or lexical sniff-test (e.g. the idea above that we should disallow Maybe that's OK; maybe we are putting all our security eggs in the "the user selects whether or not to register the protocol at runtime" basket. I see at least 3 classes of potential security concern:
From a pure security perspective, the combination of a safelist + the user choice UX provides defense in depth and would be the strongest choice among the current options. I do think we owe web developers, and new protocol developers, clarity. Any safelist, blocklist, or lexical sniff-test should be standardized, rather than being UA-defined. |
|
Using IANA's list doesn't seem to cover many of the schemes that were requested in the original intent to implement. In fact, I cross-referenced the two lists. The ONLY schemes common to both lists are Maybe these can be added to IANA, but there seems to be a disconnect between what schemes people want to use, and what have been added to IANA. Furthermore, if we used IANA as a safelist, we'd have to have a blocklist as a subset of that, because we don't want sites taking I also don't see any security risk of having an open list, that is mitigated by using IANA's list. As I said above, all of the useful protocols are going to have to be safelisted. The security risks aren't found in protocols that nobody is using. They're found in the protocols that will have to be safelisted. For example:
I think granting handling of
The problem is that if
This can't really be independent of the UA. Different UAs will have different special schemes. For example, |
As I said before, I don't think that's true. If Chrome lost a lot of market share, |
|
I think we would simply say "Sorry, you can't register The alternative is that we explicitly blocklist schemes used by popular web browsers, which raises issues like: what's popular enough to be on the list. Can a web browser decide to register |
|
It would effectively break sites if the feature had enough critical mass. |
|
Depends on the definition of "break". If Chrome suddenly decided that Similarly, Chrome could entirely remove the web protocol handlers feature or make it extremely hard for users to register (since the spec says: "UAs could also simply silently collect the information, providing it only when relevant to the user.") The fact that practically no Chrome user can make use of web protocol handlers any more would not cause the protocol handling sites to "break". Chrome would still be adhering to the spec. |
|
@mgiuca - if the feature has critical mass, it means, for examples, the many websites (not to mention native applications, though out of scope here) may have |
|
My personal opinion is that a blocklist is attractive in the long term because it would make much easier to quickly extend the whitelist. I'm not really qualified to say whether a safelist brings more security, but I acknowledge that we'd have to deal with the case where whitelisted schemes are later implemented natively anyway. However, I also share Anne's concern about UA-specific blocklist entries ; I think these should really be in the spec if we switch to a blocklist (incidentally, note that blocklisting prefixes like "chrome", "android", "about" seem to cover many of the UA-specific schemes, and would allow future extensions without spec changes). Checking current implementers' feedback, I see that essentially most people who commented in favor of a blocklist are from Google/Chromium. I checked with Mozilla/Firefox's and their current preference is still a whitelist. There was opposition to registerProtocolHandler in webkit-dev's 2015 thread (noticeable comments from Apple are https://lists.webkit.org/pipermail/webkit-dev/2015-May/027457.html and https://lists.webkit.org/pipermail/webkit-dev/2015-July/027518.html) and checking recently on WebKit's slack, it seems preference would still be a whitelist if the feature is implemented. Last but not least, one of the initial argument in favor of a blacklist is that it would avoid delays to ship new whitelisted schemes in browsers. However previous requests have been blocked for 1-4 years on this discussion blacklist VS whitelist! Here are the ones I found: #1829: version control Igalia plans to try and whitelist the "decentralization" schemes (and it's not a bigger effort to add more of course) and we will be happy to send code patches, WPT tests and handle necessary intent-to processes to Mozilla and Chromium projects. Note that Mozilla already whitelisted these schemes in WebExtensions' protocol_handlers (bugs 1428446) so it's currently out-of-sync with Navigator.registerProtocolHandler(). My conclusion is that several user requests have been pending for a long time on this while the statu quo is that 2/3 web engines would lean toward a whitelist. It does not seem that a consensus can be reached any time soon, so I'd prefer to try to extend the whitelist in the short term. I'll follow-up on the blink-dev thread too. |
…ndler() This adds "dat", "dweb", "ipfs", "ipns" and "ssb" to the safelisted schemes of [1]. Discussion for safelisting decentralized web protocols as well as the alternative idea to switch to a blacklist happened in [2] and [3]. [1] https://html.spec.whatwg.org/multipage/system-state.html#safelisted-scheme [2] whatwg#3935 [3] whatwg#3998
This commit updates the list of safelisted schemes [safelisted] related
to decentralization. Several requests for new schemes have been blocked
on [blocklist] but this latter approach is not pursued in the short term.
All schemes are documented at [iana].
1. Cryptocurrencies
- Remove bitcoin documentation link as a source code comment since it's
already referenced on IANA's page for URI schemes.
- Add "ethereum".
2. dweb community [dweb]
- Add "dat", "dweb", "ipfs", "ipns", "ssb", "cabal" and "hyper".
[blacklist] whatwg#3998
[dweb] whatwg#3935
[iana] https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
[safelisted] https://html.spec.whatwg.org/multipage/system-state.html#safelisted-scheme
This commit adds otpauth to [safelisted]. Several requests for new schemes have been blocked on [blocklist] but this latter approach is not pursued in the short term. This was originally proposed in [otpauth] and the scheme is documented at [iana]. [blacklist] whatwg#3998 [iana] https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml [optauth] whatwg#2204 [safelisted] https://html.spec.whatwg.org/multipage/system-state.html#safelisted-scheme
This commit updates the list of safelisted schemes [safelisted] related
to decentralization. Several requests for new schemes have been blocked
on [blocklist] but this latter approach is not pursued in the short term.
All schemes are documented at [iana].
1. Cryptocurrencies
- Remove bitcoin documentation link as a source code comment since it's
already referenced on IANA's page for URI schemes.
- Add "ethereum".
2. dweb community [dweb] [did]
- Add "dat", "did", "dweb", "ipfs", "ipns", "ssb", "cabal" and "hyper".
[blacklist] whatwg#3998
[did] whatwg#5561
[dweb] whatwg#3935
[iana] https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
[safelisted] https://html.spec.whatwg.org/multipage/system-state.html#safelisted-scheme
This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. Web platform exposure is protected by a new ProtocolHandlerDecentralizedWebSchemes experimental runtime flag. The validation on the Chrome process is done unconditionally since that code is not allowed to access Blink's runtime flags and it is really a browser-side validation to prevent security issue like [7]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 [7] crbug.com/971917 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638
This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4] [5]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638
This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4] [5]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638
This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4] [5]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2153064 Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Dominick Ng <dominickn@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#799626}
This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4] [5]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638 Co-authored-by: Frédéric Wang <fwang@igalia.com>
This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4] [5]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2153064 Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Dominick Ng <dominickn@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#799626}
…gisterProtocolHandler", a=testonly Automatic update from web-platform-tests Safelist distributed web schemes for "registerProtocolHandler" (#24894) This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4] [5]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638 Co-authored-by: Frédéric Wang <fwang@igalia.com> -- wpt-commits: 19254cae3f8eddf60924082cc0ad9fd89dd3242e wpt-pr: 24894
…gisterProtocolHandler", a=testonly Automatic update from web-platform-tests Safelist distributed web schemes for "registerProtocolHandler" (#24894) This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4] [5]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638 Co-authored-by: Frédéric Wang <fwang@igalia.com> -- wpt-commits: 19254cae3f8eddf60924082cc0ad9fd89dd3242e wpt-pr: 24894
This CL adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns", "ssb" to the safelist of navigator.registerProtocolHandler. Chrome status entry is [1] and feature has been discussed in [2] [3] [4] [5]. Currently, the WHATWG and WPT changes are pending on the Mozilla position review [6]. [1] https://www.chromestatus.com/feature/4776602869170176 [2] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [3] https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/7nHTRUP1EGY [4] whatwg/html#3935 [5] whatwg/html#3998 [6] mozilla/standards-positions#339 Bug: 651311 Change-Id: Iba45706e985015cf86bd80adef990abd0980a638 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2153064 Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Dominick Ng <dominickn@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#799626} GitOrigin-RevId: 4e8ed0cecce04c5c55dd84a09e4df0d0f11c660f
|
What's the current state of this? What would it take to move this forward, if someone wants to help with that? |
Mostly passing along some of the comments from this Blink Intent-to-implement.
The use of a safelist presents a challenge to someone introducing a new protocol who wishes to integrates it into the web platform via
registerProtocolHandler. They'd need to file a request and, assuming browser vendors react immediately, face around a 3 month lead time until stable browsers start supporting the new scheme. A blocklist removes this delay and also makes new schemes backwards compatible with existing browsers that use a blocklist.On the other hand, the use of a safelist allows vetting of a known set of schemes rather than evaluate the domain of potential names and block harmful ones like existing well known schemes or attempts at typojacking.
Let's revisit this and see which one works better for the web platform.
cc @annevk, @domenic, @mgiuca
The text was updated successfully, but these errors were encountered: