I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments
you may receive.
Document: draft-ietf-appsawg-about-uri-scheme-05
Reviewer: Richard Barnes
Review Date: Jun-04-2012
IETF LC End Date: Not known
IESG Telechat date: Jun-07-2012
Summary: Almost ready, couple of questions
MAJOR:
*.
I wonder how useful this document is, given that the use of "about:" URIs is
currently very inconsistent across browsers. (See, for example,
<http://en.wikipedia.org/wiki/About_URI_scheme>) Some browsers also use
alternative URI schemes for essentially the same function ("opera:",
"chrome:"). Has there been input from the browser vendor community on this
document?
4.
The document correctly notes that "about:" URIs sometimes point to sensitive
data, and that browsers need to protect them. However, the document fails to
specify what the threats are and how to mitigate them. It seems to me that the
major risk is cross-site scripting, in the sense that a remote web page might
include an "about:" URI (e.g., via an XMLHttpRequest) in order to access
sensitive data. At a high level, then, the mitigation would be to ensure that
such URIs are accessible only as a result of direct user action (e.g., typing
in a URI) or trusted browser code (e.g., extensions).