Update safelisted decentralized schemes for registerProtocolHandler() #5482
Conversation
fred-wang
changed the title
…b protocols This is currently being discussed here: whatwg/html#5482 whatwg/html#3935
|
I wonder if we need a bit more for the schemes not listed in https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml. To create better UI than listing the scheme, implementations would need to know their purpose. I suppose ideally we at least provisionally register them similar to all the [Dave_Thaler] entries there. |
|
Thanks @annevk I guess that makes sense. "Guidelines and Registration Procedures for URI Schemes" are here: https://tools.ietf.org/html/rfc7595 The part about "Provisional URI Scheme Registration" is: https://tools.ietf.org/html/rfc7595#section-4 The syntactic and not-already-used requirements are met for dweb, dat, ipfs, ipns and ssb ; it should be possible to find a spec for all of them. Regarding security considerations and other general guidelines, I guess the authors are probably in better position to address these. I'll see what I can do here. |
|
This seems good to me as-is, and thank you to @fred-wang for pushing forward and getting implementer interest where several others have failed. This will make web developers happy. I personally don't think we need to block the spec/tests PRs on IANA formalities. We could have a separate bug about, e.g., linking all the |
|
Well the existing ones are registered I believe so there is some place to find more information about them. If we kept our own registry that would be okay as well, but having strings without any additional information seems bad as only git blame would give you something. It's not so much about the formalities to me as it is about where to find more information. |
|
My point is that currently there's no way to find more information from the spec; the spec doesn't link to any registrations or other specifications or anything. It's just a list of strings, and there's no requirement that the list be full of only-registered schemes. Indeed, it seems valid to add something like "asdf1234" to the allowlist if someone wants that; it doesn't hurt anything. But, I don't care much. |
|
Thanks @domenic and @annevk ; I think we can add reference to all of them, the minimum would probably be to have a technical spec for the protocol with a link describing the URI scheme? I tried to report the IANA thing to the protocol authors mentioning this, let's see how they react, I guess that would give us an indication of which schemes is important enough... |
|
It should be fairly straightforward to get a provisional registration by emailing. If that doesn't work out, let's collect those emails here and I'll file a follow-up somewhere on what to do about the registry. Apart from helping implementers having a place to find suitable information on URL schemes we're also implicitly requiring this from web developers through https://url.spec.whatwg.org/#url-writing:
And yeah, a further alternative could be to maintain a second registry of sorts in the HTML Standard, but that might get messy long term. |
|
Just a quick update on this, I've tried to coordinate with the dweb communities on this. It seems they want more two more protocol schemes (cabal and hyper). I drafter some requests for IANA and hope to send them soon: https://github.com/fred-wang/iana-uri-schemes-provisional-registration-requests |
|
One other concern here is the "Hijacking all Web usage" security issue though I guess in a way that would be considered a success for these schemes and result in their removal as user agents add native support. |
|
@annevk Right, this is mentioned in the blink-dev intent to implement thread: https://groups.google.com/a/chromium.org/d/msg/blink-dev/7nHTRUP1EGY/LYCOtg3IAwAJ (and copied from the original request by @asankah "Conflicts with native support. Popular browsers in the future may, and specialized browsers currently do, implement native support for some of the distributed web protocols. Where native support for a protocol exists, the corresponding scheme will need to be removed from the safelist for each respective browser, and eventually from the spec. We believe that native support for a protocol would not reduce functionality for users and hence such a change would not be disruptive." I think the dweb community considers improving non-native solutions (e.g. via web extension or http gateways) as an intermediate step to experiment & demonstrate their protocols as well as increase their user community, before a long term goal of native support. |
fred-wang
force-pushed
the
safelist-decentralized-web
branch
from
62be76e
to
c719c21
Compare
fred-wang
changed the title
|
I updated this PR to include new schemes proposed by the dweb community and do related decentralized scheme updates: add ethereum and remove documentation comment for bitcoin. |
…hemes This adds "ethereum", "dat", "dweb", "ipfs", "ipns", "ssb", "cabal" and "hyper" as discussed in whatwg/html#5482
|
Just checking in; what's the latest status on this PR, and is the OP up to date in that regard? In particular:
Again, thanks for driving this forward; I'm really hopeful you'll succeed where others have failed. I'm excited to merge this as soon as possible, but the information in the OP is a bit confusing for me right now. |
|
@domenic yes sorry for the confusion. I updated the checkboxes
|
This commit updates the list of safelisted schemes [safelisted] related
to decentralization. Several requests for new schemes have been blocked
on [blocklist] but this latter approach is not pursued in the short term.
All schemes are documented at [iana].
1. Cryptocurrencies
- Remove bitcoin documentation link as a source code comment since it's
already referenced on IANA's page for URI schemes.
- Add "ethereum".
2. dweb community [dweb] [did]
- Add "dat", "did", "dweb", "ipfs", "ipns", "ssb", "cabal" and "hyper".
[blacklist] whatwg#3998
[did] whatwg#5561
[dweb] whatwg#3935
[iana] https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
[safelisted] https://html.spec.whatwg.org/multipage/system-state.html#safelisted-scheme
fred-wang
force-pushed
the
safelist-decentralized-web
branch
from
c719c21
to
c67324f
Compare
…hemes This adds "cabal", "dat", "did", "dweb", "ethereum", "hyper", "ipfs", "ipns" and "ssb" as discussed in whatwg/html#5482 whatwg/html#5561
|
Just an update on this, the current list is cabal
|
|
FYSA Chromium implementation landed and Google shipped it with Chrome 86: https://www.chromestatus.com/feature/4776602869170176 |
|
Hi, I'm trying to retake @fred-wang efforts to move this issue forward. I'm still trying to digest all the information from the discussions; If I've understood it correctly, the main blocker for this PR is the doubts expressed by Mozilla folks in the standard-position thread about this. I'll try to focus on this while I'm landing to this issue.
In the Mozila's standard-positions discussion I see 2 concerns mainly; one about origins and another one, more general, regarding the PR targeting many different schemes which would imply an endorsement to their respective technologies. I agree that reviewing each scheme separately would help to unblock the situation. I''ll be happy to start by creating a new PR for IPFS and IPNS, and then discuss there the other concern related to origins. Opinions ? |
This commit updates the list of safelisted schemes [safelisted] related
to decentralization. Several requests for new schemes have been blocked
on [blocklist] but this latter approach is not pursued in the short term.
All schemes are documented at [iana].
(See WHATWG Working Mode: Changes for more details.)
💥 Error: Wattsi server error 💥
PR Preview failed to build. (Last tried on Jan 15, 2021, 8:01 AM UTC).
More
PR Preview relies on a number of web services to run. There seems to be an issue with the following one:
🚨 Wattsi Server - Wattsi Server is the web service used to build the WHATWG HTML spec.
🔗 Related URL
If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.