Closed Bug 1688030 Opened 4 years ago Closed 3 years ago

Safelist `matrix` scheme


(Core :: DOM: Core & HTML, enhancement, P3)




90 Branch
Tracking Status
firefox90 --- fixed


(Reporter: oss+mozilla, Assigned: oss+mozilla)


(Blocks 1 open bug, )


(Keywords: dev-doc-complete, good-first-bug)


(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

Trying to register a handle for the matrix protocol.

Actual results:

A "SecurityError" DOMException is thrown as the scheme is not safelisted.

Expected results:

This is expected. I am filling this as the matrix URI scheme is nearing completion, and multiple web clients could implement a protocol handler for it.

Whatwg upstream issue:

This should be fairly uncontroversial, especially given that:

  1. Mozilla leverages matrix for instant communication
  2. Multiple web client already exist: Element-web, Fluffychat, Hydrogen, to only cite those
  3. Who wouldn't that in before FOSDEM? ;-)

For discussing the actual scheme which enters final comment period, you can head to but this is fairly orthogonal.

I would like to see this and the whatwg PR work in parallel.

Both webpages and webextensions should be able to register a protocol handler for matrix: URIs.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Product: Firefox → WebExtensions
Blocks: 1056860
Component: Untriaged → DOM: Core & HTML
Product: WebExtensions → Core

I updated the categories based on

I thought I couldn't do it myself as the initial form was really barebones.

Severity: -- → N/A
Priority: -- → P3

May I get confirmation that maintainers are interested, or that this would be implemented after the scheme is accepted by the whatwg ? A statement similar to the comment on chromium's bugtracker would be fine:

I'll implement it after is merged

Of course, I don't see a downside to implementing it right away either, but the above could help preventing a deadlock: according to the whatwg PR,

At least two implementers are interested

is a condition for merging.

Anne, do you have opinions on the above?

Flags: needinfo?(annevk)

I think it's fine to add this one as it's quite similar to IRC so there's not really new security considerations (as with the dweb schemes). (At some point we need better principles for this list and arguably better UI, but I don't think that needs to block this scheme.)

Flags: needinfo?(annevk)

The change landed in the HTML Standard.

Ever confirmed: true
Keywords: good-first-bug

Thank you. I might attach a patch if I have time to dive into the source for this.

Prior to defining this scheme, the website was used to direct users to various clients of their choice. I think it makes sense to keep that service around, and make it aware of the matrix scheme. Would you be open to making a default handler for these URIs, as the service is kind of a neutral entity? If so, I can prepare a patch in a separate issue.

The goal is simply to offer a better user experience the first time a user encounters such a link.

That's a product question that's best separated into a new bug.

I think that'd be fair, but yeah, that's probably a separate patch after this lands. I think there are three lists that need to be updated:

  • toolkit/modules/E10SUtils.jsm
  • dom/base/Navigator.cpp
  • toolkit/components/extensions/schemas/extension_protocol_handlers.json (this one contains a few extra entries which I guess we allow extensions to hook, but not websites).
Assignee: nobody → oss+mozilla

Thanks a lot for your pointers! I took the liberty to add you to the reviewers instead of first asking here who should review, as this should be quite trivial.

I hope everything looks fine. Besides this, should I open a bug about the default handler, or should I submit to phabricator without a corresponding bug? itself isn't yet ready to accept the new scheme, so perhaps that's what should be worked on first?

Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

I'll try to update the documentation in a few days. Thanks a lot for pointing out the places that need to be updated.

Has an intent-to-ship been sent to dev-platform?

See Also: → 1601816

(In reply to Frédéric Wang (:fredw) from comment #18)

Has an intent-to-ship been sent to dev-platform?

This is my first code contribution, I am not sure what you mean by that (and haven't seen it mentioned in the various guides, including the contributors' quick reference), so I wouldn't have sent one.

I'm still intent on updating the documentation relatively soon.

Thank you for mentioning Bug 1601816. Due to this, I suspect implementers won't rely on Firefox for parsing, and will instead rely on their own parsers.

Emilio did it: \o/

Process is currently documented at and it should probably move into Source Docs to make it easier to find.

In regards to docs - I've opened a PR which modifies the pages mentioned above:

It would be great to get some eyes on this as this isn't an area I'm too familiar with - thanks :)

Currently updating browser compat too.

You need to log in before you can comment on or make changes to this bug.