Loading ...
Sorry, an error occurred while loading the content.

RSS 2.0: Restriction on Whitespace in |

Expand Messages
  • Morbus Iff
    From the RSS 2.0 spec (and originally from the Netscape 0.91 spec ): RSS places restrictions on the first non-whitespace characters of the data in and
    Message 1 of 3 , Sep 15, 2002
    • 0 Attachment
      From the RSS 2.0 spec (and originally "from the Netscape 0.91 spec"):

      RSS places restrictions on the first non-whitespace characters of the data in
      <link> and <url> elements. The data in these elements must begin with http://
      or ftp://. Among others, https:, file:, mailto:, news:, and javascript: are
      not permitted.

      I'd like to suggest one of two possibilities. One, that only these are allowed:

      http:// https:// ftp:// news:// mailto:

      Or two, that all protocols are allowed. The first suggestion branches out
      into more common protocols: https:// (for e-commerce), news:// (not as
      important, but still used to point to specific groups), ftp:// (obvious),
      and mailto: to point to an email address (thus spawning the user's email
      program), as opposed to the <author>, which is just plain text (and
      contains no application-spawning abilities, since including full names
      confuses the issue).

      The second proposal says "ok, well, we shouldn't make that decision for the
      end-user", but does weaken security: with javascript:// and file://
      allowed, we're potentially giving the producer too much control over the
      user's machine.

      It's not enough to say "ok, you could use *all* protocols except for
      file:// and javascript://", because that inspires a false sense of security
      - if we say "these protocols can be used for malicious purposes", that's
      suggesting other protocols (currently unknown to us) have been "approved"
      for the user's safety.

      Myself, I prefer the first option - allowing the five protocols. The
      downside, however, is that five years from now, when some other protocol is
      popular, the RSS 2.0 spec won't scale for it (without the use of
      namespaces).

      Thoughts?

      --
      Morbus Iff ( sleep breeds sanity )
      Culture: http://www.disobey.com/ and http://www.gamegrene.com/
      Tech: http://www.oreillynet.com/pub/au/779 - articles and weblog
      icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus
    • Danny Ayers
      Hi Morbus, Which RSS 2.0 are you talking about? The one you quote is beyond the reach of mere mortals ;-) That aside, I do agree that the protocol/scheme thing
      Message 2 of 3 , Sep 15, 2002
      • 0 Attachment
        Hi Morbus,

        Which RSS 2.0 are you talking about? The one you quote is beyond the reach
        of mere mortals ;-)

        That aside, I do agree that the protocol/scheme thing is an issue that needs
        addressing, at least from a best practices point of view. Personally I'd go
        for a variant on the 'any' option, - follow the advice of "Architectural
        Principles of the World Wide Web" [1], and only allow IANA [2] registered
        schemes. Of the schemes you mention the only one missing from this list is
        'javascript://'. The advantage is that they're all backed by established
        RFCs, so both ends of the string can be sure they've got their tin can
        connected properly.
        This doesn't help very much with the '5 years down the line' point, but few
        specs last that long without modification anyhow.

        Cheers,
        Danny.

        (btw, I personally think the statement "Unregistered URI schemes MUST NOT be
        used on the public Internet." in the arch doc should to be changed to
        "...SHOULD NOT...", but as it's only advisory anyway I'm not gonna lose
        sleep ;-).

        [1] http://www.w3.org/TR/webarch/#URI-scheme
        [2] http://www.iana.org/assignments/uri-schemes

        ---
        Danny Ayers
        <stuff> http://www.isacat.net </stuff>

        Idea maps for the Semantic Web
        http://ideagraph.net


        >-----Original Message-----
        >From: Morbus Iff [mailto:morbus@...]
        >Sent: 15 September 2002 23:30
        >To: rss-dev@yahoogroups.com
        >Subject: [RSS-DEV] RSS 2.0: Restriction on Whitespace in <link>|<url>
        >
        >
        >
        >From the RSS 2.0 spec (and originally "from the Netscape 0.91 spec"):
        >
        > RSS places restrictions on the first non-whitespace characters of
        >the data in
        > <link> and <url> elements. The data in these elements must begin
        >with http://
        > or ftp://. Among others, https:, file:, mailto:, news:, and
        >javascript: are
        > not permitted.
        >
        >I'd like to suggest one of two possibilities. One, that only these
        >are allowed:
        >
        > http:// https:// ftp:// news:// mailto:
        >
        >Or two, that all protocols are allowed. The first suggestion branches out
        >into more common protocols: https:// (for e-commerce), news:// (not as
        >important, but still used to point to specific groups), ftp:// (obvious),
        >and mailto: to point to an email address (thus spawning the user's email
        >program), as opposed to the <author>, which is just plain text (and
        >contains no application-spawning abilities, since including full names
        >confuses the issue).
        >
        >The second proposal says "ok, well, we shouldn't make that decision for the
        >end-user", but does weaken security: with javascript:// and file://
        >allowed, we're potentially giving the producer too much control over the
        >user's machine.
        >
        >It's not enough to say "ok, you could use *all* protocols except for
        >file:// and javascript://", because that inspires a false sense of security
        >- if we say "these protocols can be used for malicious purposes", that's
        >suggesting other protocols (currently unknown to us) have been "approved"
        >for the user's safety.
        >
        >Myself, I prefer the first option - allowing the five protocols. The
        >downside, however, is that five years from now, when some other protocol is
        >popular, the RSS 2.0 spec won't scale for it (without the use of
        >namespaces).
        >
        >Thoughts?
        >
        >--
        >Morbus Iff ( sleep breeds sanity )
        >Culture: http://www.disobey.com/ and http://www.gamegrene.com/
        >Tech: http://www.oreillynet.com/pub/au/779 - articles and weblog
        >icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus
        >
        >To unsubscribe from this group, send an email to:
        >rss-dev-unsubscribe@egroups.com
        >
        >
        >
        >Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
        >
        >
      • Morbus Iff
        ... I ll agree with the above too - if I knew where to search for that document, I would have used that instead. I d want to see the RSS 2.0 docs appended
        Message 3 of 3 , Sep 16, 2002
        • 0 Attachment
          >That aside, I do agree that the protocol/scheme thing is an issue that needs
          >addressing, at least from a best practices point of view. Personally I'd go
          >for a variant on the 'any' option, - follow the advice of "Architectural
          >Principles of the World Wide Web" [1], and only allow IANA [2] registered
          >schemes. Of the schemes you mention the only one missing from this list is
          >'javascript://'. The advantage is that they're all backed by established
          >[2] http://www.iana.org/assignments/uri-schemes

          I'll agree with the above too - if I knew where to search for that
          document, I would have used that instead. I'd want to see the RSS 2.0 docs
          appended like:

          RSS places restrictions on the first non-whitespace characters of the
          data in <link> and <url> elements. The data in these elements must be
          an [IANA registered scheme], such as http://, https://, ftp://, mailto:,
          news://, etc. (for a full list, check the [IANA website]).

          The [] links would be the URL above.

          --
          Morbus Iff ( i assault your sensibilities! )
          Culture: http://www.disobey.com/ and http://www.gamegrene.com/
          Tech: http://www.oreillynet.com/pub/au/779 - articles and weblog
          icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus
        Your message has been successfully submitted and would be delivered to recipients shortly.