Hi,
We are investigating registerProtocolHandler and have been discussing
the need for a blacklist of protocols to forbid.
Our list currently includes:
* http:
* https:
* ftp:
* file:
* about:
* data:
Email specific schemes:
* cid:
* mid:
Scripting schemes:
* javascript:
* vbscript:
Ancient Netscape scripting schemes. some were apparently aliases for
javascript:
* mocha:
* livescript:
* livewire:
* tcl:
Also, implementers need to be take care with vendor specific schemes:
* chrome: (Mozilla, Chrome)
* view-source: (Mozilla, Chrome)
* res: (IE)
* resource: (Mozilla)
* opera: (Opera)
* attachment: (Opera)
(This list is probably incomplete)
We'd like to know if we've missed any important schemes that must be
blocked, and we think it might be useful if the spec listed most of
those, except for the vendor specific schemes, which should probably be
left up to each vendor to worry about.
--
Lachlan Hunt - Opera Software
http://lachy.id.au/
http://www.opera.com/
