-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict use of registerProtocolHandler
to secure contexts
#4017
Comments
This would be great, PR/tests appreciated. |
Cool. I'll follow up with PRs. cc @mikewest |
Already updated on the documentation: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler |
Ping @asankah on a spec/tests update here. |
FWIW, I have a proposal for the Chromium change out for review: https://chromium-review.googlesource.com/c/chromium/src/+/1892213. Beyond adding the secure context restriction, it requires a top-level browsing context. |
Yay! @ericlaw1979 Are you also doing a spec update? |
I'd propose that we allow |
This is very much in line with the patch @ericlaw1979 put up for review. I think he was planning on sending out a PR against HTML? |
Yeah, sorry, I had to learn a bunch of stuff, having never contributed to HTML before. My thinking was that I'd start with the easy one, requiring "SecureContext" to call the API (#5080) After I learned how to do things with that, I'd then propose a second patch that reflects our agreement about the subframes question. My current Chrome PR requires that the call be from the top-level context (https://chromium-review.googlesource.com/c/chromium/src/+/1892213). I can adjust that to allow same-origin frames, but I'll need to
|
@ericlaw1979 it'll be a same-origin comparison with the concept that's being added in #4966 (top-level origin). And if A is nested in B is nested in top-level A both As will be same origin with that concept. (This is a little different from the equivalent situation in redirect chains (well, sometimes), but as both As have direct script access to each other being strict doesn't really help.) |
This is already the case in Firefox since 60. Chrome will likely follow suit.
cc @domenic @annevk @mgiuca
The text was updated successfully, but these errors were encountered: