ietf
[Top] [All Lists]

Re: Gen-ART Telechat review of draft-ietf-appsawg-about-uri-scheme-05

2012-06-05 11:29:53
Hi Richard,

Thanks for the review.  This is an individual comment.

At 05:33 04-06-2012, Richard L. Barnes wrote:
I wonder how useful this document is, given that the use of "about:" URIs is currently very inconsistent across browsers. (See, for example, <http://en.wikipedia.org/wiki/About_URI_scheme>) Some browsers also use alternative URI schemes for essentially the same function ("opera:", "chrome:"). Has there been input from the browser vendor community on this document?

One of the editors of draft-ietf-appsawg-about-uri-scheme-04 affiliated with Opera Software ASA provided input about the draft.

The Wikipedia article mentions that it needs additional citations for verification. Although the "about" URI scheme is well-known, it has never been registered. The document describes the URI scheme and registers it in the "URI Schemes". The document does not seek to impose any requirement. It leaves it to browser vendors to decide what to do.

4.
The document correctly notes that "about:" URIs sometimes point to sensitive data, and that browsers need to protect them. However, the document fails to specify what the threats are and how to mitigate them. It seems to me that the major risk is cross-site scripting, in the sense that a remote web page might include an "about:" URI (e.g., via an XMLHttpRequest) in order to access sensitive data. At a high level, then, the mitigation would be to ensure that such URIs are accessible only as a result of direct user action (e.g., typing in a URI) or trusted browser code (e.g., extensions).

Section 4 of draft-ietf-appsawg-about-uri-scheme-06 mentions that "about" URIs may be used to reference, for example, user passwords stored in a cache. The document does not register such a token though. It leaves it to person with expertise to write the specification about that token to consider the security implications. Adding text to discuss about cross-site scripting might be misconstrued as a recommendation.

Regards,
S. Moonesamy
<Prev in Thread] Current Thread [Next in Thread>