Consider a blocklist for schemes instead of a safelist

[asankah]

Mostly passing along some of the comments from this Blink Intent-to-implement.

The use of a safelist presents a challenge to someone introducing a new protocol who wishes to integrates it into the web platform via registerProtocolHandler. They'd need to file a request and, assuming browser vendors react immediately, face around a 3 month lead time until stable browsers start supporting the new scheme. A blocklist removes this delay and also makes new schemes backwards compatible with existing browsers that use a blocklist.

On the other hand, the use of a safelist allows vetting of a known set of schemes rather than evaluate the domain of potential names and block harmful ones like existing well known schemes or attempts at typojacking.

Let's revisit this and see which one works better for the web platform.

cc @annevk, @domenic, @mgiuca

[mgiuca]

I just saw this comment on #1829:

Firefox, as far as I can tell, doesn't use a safelist for registerProtocolHandler; it uses a blacklist instead. So Firefox already supports all these schemes.

Is that true? That should make it much easier to switch over to a blacklist.

I'm quite in favour of doing this. I'd like to know what the security concerns are with opening up all possible schemes, other than a small set of "special" schemes.

I would imagine the blacklist would include just schemes that are treated specially by the browser (which we wouldn't want web applications to "steal" links to). This would roughly correspond to the special schemes defined in [URL], but not gopher which I don't believe any modern browser deals with. So:

• ftp
• file
• http
• https
• ws (?)
• wss (?)

Plus a few other important schemes like "javascript", "data", "blob", "filesystem", "about".

User agents should be allowed to add new schemes to the blacklist, for example, Chrome would block "chrome" (otherwise it would wreak havoc if a site took over all the "chrome:" URLs, which are Chrome's alias for "about").

But for any scheme that isn't special to web browsers, I don't see a security reason not to let sites (with the user's concent) handle those links.

[joshtriplett]

In addition to special schemes, we should also blocklist any scheme containing a ., to prevent schemes that look like a domain; see https://lists.w3.org/Archives/Public/public-whatwg-archive/2011Aug/0238.html for examples of using schemes named mail.google.com or 192.168.1.1

I'd also suggest blocklisting "localhost" and "localdomain", and any scheme consisting entirely of numbers.

[annevk]

A blocklist with additional user-agent-specific entries seems rather bad. It also seems bad that it would seemingly prevent adding a new scheme like https in the future.

[domenic]

As far as I can tell Firefox uses a safelist. (I cannot find a C++ implementation of that function, and indeed I find some hints that they call the JS implementation from the code backing their IDL.)

@annevk has enumerated a few issues with a blocklist, although none are insurmountable. To summarize my thoughts:

Future expansion

It's possible that browsers may want to add native support for more schemes in the future. It seems unlikely we'll take on the pain of another http -> https transition any time soon, but browsers may want to support other protocols natively for other features (e.g. the various distributed schemes from #3080, if the distributed web folks succeed in making their project mainstream).

Indeed, some browsers (e.g. Beaker) do support distributed web schemes natively. I'm not sure what document.URL or location.href return in such cases---do they return some underlying HTTPS resource, as would be the case with registerProtocolHandler, or do they return the original URL? If the latter, then we already have an instance of such "future expansion" conflicts.

But maybe such conflicts are OK! In such instances, a browser will change the meaning of an existing scheme in the wild. That's true whether we allow it in registerProtocolHandler or not, due to mechanisms like how native apps can intercept URL schemes on many OSes (last I checked), or how URL schemes might have meaning outside the browser context. For example even though svn: is not available to registerProtocolHandler, browsers probably wouldn't be excited about adding it in some way that conflicts with the existing definition.

Basically I'm saying that adding a new scheme already requires a careful survey of the ecosystem, and registerProtocolHandler doesn't change that too much.

User-agent-specific entries

This is not great, but it seems like an area where we may want to accept non-interop for the sake of flexibility. Again browsers would be effectively compat-constrained in how they extend the blocklist.

Alternately we could try taking a union of all existing schemes in internal use.

It's worth pointing out that although registerProtocolHandler affects navigation via <a> links, usually navigation via <a> links cannot reach user-agent-internal schemes anyway. So it'd at least be possible, albeit confusing (and possibly unsafe), to allow registerProtocolHandler("chrome", ...), which would only change the meaning of <a href="chrome:flags"> from a no-op to a registered protocol handler.

[domenic]

Some of the blocklist vs. safelist discussion happened in #1829 (comment). Let's try to use this thread going forward.

I'm reasonably convinced by @mgiuca's points there, plus my above musings. @annevk, how do you feel? @jonathanKingston, you were working on this area in Firefox recently---thoughts?

[asankah]

Yup. I'm also in favor of a blocklist.

I think neither an allowlist nor a blocklist absolves from the need to deal with revoking a scheme that was previously available for registration. In the case of experimental protocols, it's likely part of an explicit goal as stated elsewhere. Also provisional scheme registrations can help with discoverability of schemes that are reserved by various UAs or be in conflict with someone else's use case.

cc @mikewest @noncombatant FYI

[mgiuca]

Thanks @domenic for a detailed analysis.

It's worth pointing out that although registerProtocolHandler affects navigation via <a> links, usually navigation via <a> links cannot reach user-agent-internal schemes anyway. So it'd at least be possible, albeit confusing (and possibly unsafe), to allow registerProtocolHandler("chrome", ...), which would only change the meaning of <a href="chrome:flags"> from a no-op to a registered protocol handler.

This is true, but it would be pretty confusing if typing "chrome:version" into the address bar opened Chrome's internal version page, while clicking a "chrome:version" link opened a web page that had registered for the Chrome scheme. It's probably best to allow browsers to block this type of link, as Chrome currently does.

It's possible that browsers may want to add native support for more schemes in the future.

Yeah. We should assume that any scheme popular enough to warrant a website that handles all of its links could end up being something that browsers want to handle natively. This will be true regardless of whether we have a whitelist or blacklist. (Presumably the popular new protocol that the future browsers want to implement will be one of the ones whitelisted.)

So either way, we should plan for a scenario where some future scheme X is (whitelisted|not blacklisted) and a browser wants to support it natively.

But maybe such conflicts are OK!

I think so.

If a browser wants to natively handle a future scheme X that is (whitelisted|not blacklisted), it has three choices:

1. Do not allow sites to register to handle scheme X, despite the spec saying it's allowed. Always handle it natively.
2. Allow scheme X to be handled by a site, but if there is no handler, handle it natively.
3. Present its own native handling of the scheme as an alternative in the UI for choosing which app handles scheme X (so the user can choose "Site A", "Site B" or "The Browser" as a handler).

For "chrome" URLs, I think Chrome would choose Option 1. Same if a new protocol became so ubiquitous (like "https") that it's always considered the domain of the browser. But for most protocols, browsers would generally go with Option 3.

There isn't even any need to spec this. Because it relates to the browser UI (not in-page UI), it's automatically a user agent choice. Right now, I could make a browser that doesn't allow a site to register "mailto" because I have my own email client built into the browser. The spec says:

"User agents may, within the constraints described in this section, do whatever they like when the method is called. A UA could, for instance, prompt the user and offer the user the opportunity to add the site to a shortlist of handlers, or make the handlers their default, or cancel the request. UAs could provide such a UI through modal UI or through a non-modal transient notification interface. UAs could also simply silently collect the information, providing it only when relevant to the user."

So browsers are not required to do anything when a site registers a protocol handler.

Furthermore, browsers already have UI to deal with conflicts between website-registered protocol handlers, and so-called "external" protocol handlers registered at the OS level. The issue of a conflict between a future website-registered handler and an in-browser handler is no more complex than what we already deal with.

In light of this, I don't see any future-proofing issues from switching to a blocklist.

In such instances, a browser will change the meaning of an existing scheme in the wild. That's true whether we allow it in registerProtocolHandler or not, due to mechanisms like how native apps can intercept URL schemes on many OSes (last I checked), or how URL schemes might have meaning outside the browser context.

That's a slightly different argument, because you're talking about how a browser might override an OS-registered handler with its own internal implementation. Which is true, but it's nothing to do with web standards since neither side of that is being registered by this API.

I think it's more relevant to consider the clash between website-registered and OS-registered handlers as a precedent.

[mikewest]

I don't have strong opinions about registering protocol handlers and I'm happy to defer to y'all on the underlying question of allow vs. block, except insofar as registration must be under user control, and they must exclude the kinds of schemes that the browser does interesting things with (because I'm sure we make all kinds of assumptions in various bits and pieces of our codebase that assumes we control these kinds of URLs completely).

Skimming through Chrome's codebase, that list might include things like:

• chrome and chrome-prefixed schemes (e.g. chrome-devtools, chrome-error, chrome-extension, chrome-extension-resource, chrome-guest, chrome-resource, chrome-native, chrome-search, and probably others I'm missing)
• cros
• Android things like android-app, content and cid
• view-source

I doubt that's an exhaustive list.

• ftp

I'd be much less upset about allowing sites to take over ftp, actually, as I'd dearly love to remove support for it. :)

[mgiuca]

they must exclude the kinds of schemes that the browser does interesting things with

I don't think this needs to be in the spec. As I said above, user agents can ignore any registration they want, so I think it's up to each user agent to block the things they care about (though this can be mentioned as a security consideration in the spec).

+1 to allowing sites to act as FTP clients and removing FTP support (eventually). (We'll need some kind of sockets API first!)

[annevk]

As I said above, user agents can ignore any registration they want, so I think it's up to each user agent to block the things they care about

I don't think this is really true. This is true if you have the market share of Chrome, but it's much less true if you have the market share of say, Servo. Servo could end up having to reuse Chrome's blocklisted schemes for its purposes and be forced to reverse engineer those.

I'd much rather enumerate those schemes so it's clearer what ends up being reliable across user agents.

[foolip]

What's the current of this issue? Skimming the discussion, it sounds like most of you are in favor of a blocklist instead of a safelist. Is it just a matter of now determining what that blocklist should contain?

[domenic]

It would be good to have someone from Mozilla chime in on whether a blocklist is acceptable to them, as the other implementer of registerProtocolHandler.

[asutherland]

I haven't seen mention of the IANA registry at https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml explicitly referenced by the URL spec at https://url.spec.whatwg.org/#url-scheme-string. Is there a reason not to stick to a safelist and defer to that registry? (And the "web+WHATEVER" escape-hatch seems like it would allow for experimentation prior to gaining a registration.)

One wrinkle from a Mozilla perspective right now is that the very experimental https://github.com/mozilla/libdweb project is providing a means for WebExtensions to register and show the custom scheme in the address bar (without involving a redirect). While I think there are various discussions that need to happen with the Security UX people before anything like that would ship, such an approach means spoofing concerns do become an issue and a safelist becomes favorable. Especially when the safelist comes with metadata that allows us to more easily provide human readable explanations of what permission the WebExtension is asking for.

[noncombatant]

If we intend for the list to be an actual security mechanism, then only a safelist can act as such. Anything less, such as a blocklist or lexical sniff-test (e.g. the idea above that we should disallow . in scheme names), can only be a hygiene or basic sanity test.

Maybe that's OK; maybe we are putting all our security eggs in the "the user selects whether or not to register the protocol at runtime" basket.

I see at least 3 classes of potential security concern:

• User confusion: Spoofy or phishy scheme names.
• User confusion: Inadvertent grants of power to a site. Giving example.com the power to handle ftp: URLs might be surprisingly powerful, in ways that are not immediately obvious (to any of us).
• Protocol safety: We are in the happy place where HTTPS/TLS is rarely the weakest link in the overall security story. What if yolo: becomes super popular, and people often select https://yolo.example.com/%s to handle yolo: URLs, and other sites start loading resources with yolo:, and then there's a protocol security vulnerability in the yolo: protocol, or yolo.example.com gets compromised, or whatever.

From a pure security perspective, the combination of a safelist + the user choice UX provides defense in depth and would be the strongest choice among the current options.

I do think we owe web developers, and new protocol developers, clarity. Any safelist, blocklist, or lexical sniff-test should be standardized, rather than being UA-defined.