Safelist `matrix` scheme
Categories
(Core :: DOM: Core & HTML, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox90 | --- | fixed |
People
(Reporter: oss+mozilla, Assigned: oss+mozilla)
References
(Blocks 1 open bug, )
Details
(Keywords: dev-doc-complete, good-first-bug)
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Steps to reproduce:
Trying to register a handle for the matrix protocol.
Actual results:
A "SecurityError" DOMException is thrown as the scheme is not safelisted.
Expected results:
This is expected. I am filling this as the matrix URI scheme is nearing completion, and multiple web clients could implement a protocol handler for it.
Whatwg upstream issue: https://github.com/whatwg/html/pull/6320
This should be fairly uncontroversial, especially given that:
- Mozilla leverages matrix for instant communication
- Multiple web client already exist: Element-web, Fluffychat, Hydrogen, to only cite those
- Who wouldn't that in before FOSDEM? ;-)
For discussing the actual scheme which enters final comment period, you can head to https://github.com/matrix-org/matrix-doc/pull/2312 but this is fairly orthogonal.
I would like to see this and the whatwg PR work in parallel.
Both webpages and webextensions should be able to register a protocol handler for matrix: URIs.
Chromium implementation bug filled as well.
|
||
Comment 2•3 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
I updated the categories based on https://bugzilla.mozilla.org/show_bug.cgi?id=1629149
I thought I couldn't do it myself as the initial form was really barebones.
|
||
Updated•3 years ago
|
May I get confirmation that maintainers are interested, or that this would be implemented after the scheme is accepted by the whatwg ? A statement similar to the comment on chromium's bugtracker would be fine:
I'll implement it after https://github.com/whatwg/html/pull/6320 is merged
Of course, I don't see a downside to implementing it right away either, but the above could help preventing a deadlock: according to the whatwg PR,
At least two implementers are interested
is a condition for merging.
|
||
Comment 6•3 years ago
|
||
I think it's fine to add this one as it's quite similar to IRC so there's not really new security considerations (as with the dweb schemes). (At some point we need better principles for this list and arguably better UI, but I don't think that needs to block this scheme.)
|
|
||
Comment 7•3 years ago
|
||
The change landed in the HTML Standard.
Thank you. I might attach a patch if I have time to dive into the source for this.
Prior to defining this scheme, the website matrix.to was used to direct users to various clients of their choice. I think it makes sense to keep that service around, and make it aware of the matrix scheme. Would you be open to making matrix.to a default handler for these URIs, as the service is kind of a neutral entity? If so, I can prepare a patch in a separate issue.
The goal is simply to offer a better user experience the first time a user encounters such a link.
|
|
||
Comment 9•3 years ago
|
||
That's a product question that's best separated into a new bug.
|
||
Comment 10•3 years ago
|
||
I think that'd be fair, but yeah, that's probably a separate patch after this lands. I think there are three lists that need to be updated:
toolkit/modules/E10SUtils.jsmdom/base/Navigator.cpptoolkit/components/extensions/schemas/extension_protocol_handlers.json(this one contains a few extra entries which I guess we allow extensions to hook, but not websites).
|
Assignee | |
Comment 11•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 12•3 years ago
|
||
Thanks a lot for your pointers! I took the liberty to add you to the reviewers instead of first asking here who should review, as this should be quite trivial.
I hope everything looks fine. Besides this, should I open a bug about the default handler, or should I submit to phabricator without a corresponding bug? matrix.to itself isn't yet ready to accept the new scheme, so perhaps that's what should be worked on first?
|
||
Comment 13•2 years ago
|
||
This is going to need doc updates on mdn:
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/protocol_handlers
|
||
Comment 14•2 years ago
|
||
(In reply to Shane Caraveo (:mixedpuppy) from comment #13)
This is going to need doc updates on mdn:
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/protocol_handlers
Not just the inline documentation, but also:
browser-compat-data:
protocol_handlersat: https://github.com/mdn/browser-compat-data/blob/3213fb87b6c10a1cc1545b1e359cae6ac2373b89/webextensions/manifest/protocol_handlers.jsonnavigator.registerProtocolHandlerat: https://github.com/mdn/browser-compat-data/blob/60214baa97657c798dd7eac44b7bc73af4968033/api/Navigator.json#L1961-L2066
... and the release notes for 90 (the web platform section and the add-ons section) at https://github.com/mdn/content/blob/854922721905123561f6dd8139f8a29f5fc5d95c/files/en-us/mozilla/firefox/releases/90/index.html
|
||
Comment 15•2 years ago
|
||
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d74679a8ad9d Safelist matrix scheme. r=emilio
|
||
Comment 16•2 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 17•2 years ago
|
||
I'll try to update the documentation in a few days. Thanks a lot for pointing out the places that need to be updated.
|
|
Assignee | |
Comment 19•2 years ago
|
||
(In reply to Frédéric Wang (:fredw) from comment #18)
Has an intent-to-ship been sent to dev-platform?
This is my first code contribution, I am not sure what you mean by that (and haven't seen it mentioned in the various guides, including the contributors' quick reference), so I wouldn't have sent one.
I'm still intent on updating the documentation relatively soon.
Thank you for mentioning Bug 1601816. Due to this, I suspect implementers won't rely on Firefox for parsing, and will instead rely on their own parsers.
|
|
||
Comment 20•2 years ago
|
||
Emilio did it: https://groups.google.com/a/mozilla.org/g/dev-platform/c/MRx97D3LWfI/m/gf1AlVx-AgAJ. \o/
Process is currently documented at https://wiki.mozilla.org/ExposureGuidelines and it should probably move into Source Docs to make it easier to find.
|
||
Comment 21•2 years ago
|
||
In regards to docs - I've opened a PR which modifies the pages mentioned above:
https://github.com/mdn/content/pull/6622
It would be great to get some eyes on this as this isn't an area I'm too familiar with - thanks :)
Currently updating browser compat too.
Description
•