idnits 2.17.1 draft-holsten-about-uri-scheme-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 29, 2010) is 4869 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'UCS' -- Obsolete informational reference (is this intentional?): RFC 4395 (Obsoleted by RFC 7595) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Holsten 3 Internet-Draft 4 Intended status: Standards Track L. Hunt 5 Expires: June 2, 2011 Opera Software, ASA. 6 November 29, 2010 8 The 'about' URI scheme 9 draft-holsten-about-uri-scheme-06 11 Abstract 13 A URI using the "about:" scheme, henceforth referred to as an "about" 14 URI, is designed to be used internally by applications for almost any 15 desired purpose. Such URIs have commonly been used by web browsers 16 for providing access to built-in functionality, such as application 17 information, preferences, settings, or "easter eggs". 19 Editorial Note (To be removed by RFC Editor) 21 Discussion of this draft should take place on the URI Review mailing 22 list (uri-review@ietf.org). 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on June 2, 2011. 41 Copyright Notice 43 Copyright (c) 2010 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 1. Introduction 58 An "about" URI is designed to be used internally by applications for 59 almost any desired purpose. Such URIs have commonly been used by web 60 browsers for providing access to built-in functionality, such as 61 application information, preferences, settings, or "easter eggs". 63 2. Terminology 65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 67 document are to be interpreted as described in [RFC2119]. 69 3. URI Syntax 71 The general syntax of an "about" URI is defined below using ABNF 72 [RFC5234]: 74 abouturi = "about:" segment [ "?" query ] 76 where "segment" and "query" are defined in [RFC3986]. 78 4. Encoding Considerations 80 Because many characters are not permitted with this syntax, the 81 "segment" and "query" elements MAY contain characters from the 82 Unicode Character Set [UCS] as suggested by URI [RFC3986], by first 83 encoding those characters as octets to the UTF-8 character encoding 84 [RFC3629]; then only those octets that do not correspond to 85 characters in the unreserved set [RFC3986] SHOULD be percent-encoded. 87 By using UTF-8 encoding, there are no known compatibility issues with 88 mapping Internationalized Resource Identifiers to "about" URIs 89 according to [RFC3987]. Since "about" URIs do not use domain names, 90 "ireg-name" conversion is unnecessary. 92 5. Resolving "about" URIs 94 A reserved "about" URI is one that is defined by a specification for 95 a specific purpose, which MAY also be defined to be resolvable. 97 An unreserved "about" URI is any other "about" URI that is not 98 defined by a specification for a specific purpose, but which MAY be 99 recognized by an application. 101 An unrecognized "about" URI is an "about" URI that is not recognized 102 by an application. 104 5.1. Reserved "about" URIs 106 Other specifications MAY reserve "about" URIs. Applications 107 attempting to resolve reserved "about" URIs that are not defined to 108 be resolvable, MAY treat such URIs as being unreserved. 110 5.1.1. about:blank 112 The "about" URI with the segment equal to "blank" and no query 113 component is reserved by this specification. i.e. "about:blank". 114 Applications resolving the URI "about:blank" MUST return a resource 115 of zero length, containing no data, with the media type "text/html" 116 and the character encoding "UTF-8". 118 Note: If a query component is provided with "about:blank", such as 119 "about:blank?" or "about:blank?foo", then the URI is not considered 120 to be reserved by this specification. 122 5.2. Unreserved "about" URIs 124 Applications MAY resolve any unreserved "about" URI to any resource, 125 either internal or external, or redirect to an alternative URI. 127 Note: As "about" URIs are designed to be internal to each 128 application, there is no expectation of any unreserved URI returning 129 the same resource among different applications. However, it is worth 130 noting that some conventions have arisen for providing particular 131 functionality via common "about" URIs. 133 5.3. Unrecognized "about" URIs 135 Applications SHOULD resolve unrecognized "about" URIs in the same way 136 as "about:blank". 138 5.4. Examples 140 The following examples illustrate some known URIs supported by 141 existing applications. They are not guaranteed to be resolvable by 142 every application. 144 about:config Commonly provides access to application preferences and 145 settings 147 about:cache Commonly provides access to information about resources 148 stored in the browsers cache. Current Mozilla Firefox 149 implementations also accept a query string to specify a specific 150 device to show more information about. e.g. about: 151 cache?device=offline provides details about the offline cache. 153 about:plugins Commonly provides access to information about 154 installed plugins 156 about:mozilla An easter egg supported by Mozilla showing a passage 157 from the fictional Book of Mozilla 159 Applications are also permitted to redirect such URIs. For example, 160 Opera redirects all "about" URIs, with the exception of 161 "about:blank", to the equivalent URI using their internal "opera:" 162 scheme. e.g. "about:config" redirects to "opera:config". 164 This is not an exhaustive list. Many more are supported by numerous 165 applications. For more examples, consult Wikipedia's entry on the 166 "about: URI Scheme" [wikiabout]. 168 6. Normalization 170 "about" URIs use the standard URI normalization rules [RFC3986], 171 specifically Simple String Comparison, Case Normalization, and 172 Percent-Encoding Normalization. For example, "about:blank", 173 "about:blan%6B" and "about:blan%6b" are equivalent, though the 174 percent-encoded forms are discouraged. Due to the structure of 175 "about" URIs, some normalizations do not apply, specifically Syntax- 176 Based Normalization, Scheme-Based Normalization, and Protocol-Based 177 Normalization. For example, "about:blank" is not equivalent to 178 "about:BLANK", "about:blank?" or "about:blank:", each MAY represent a 179 different resource. Similarly, "about:blank%3F" is not equivalent to 180 "about:blank?". 182 7. Security Considerations 184 "about" URIs might identify resources that reveal sensitive 185 information. Applications SHOULD ensure appropriate restrictions are 186 in place to protect such information from access or modification by 187 untrusted sources. 189 Implementations SHOULD also take note of the security considerations 190 described by [RFC3986]. In particular, the following issues SHOULD 191 be considered: 193 Reliability and Consistency: Implementations are responsible for the 194 reliability and consistency of the resources returned. However, 195 implementations SHOULD take care with "about" URIs that might 196 redirect to, or otherwise return a resource that might 197 subsequently access, remote resources, which might not be reliable 198 or consistent. 200 Malicious Construction: Implementations SHOULD take care to prevent 201 the construction of "about" URIs that might inadvertently perform 202 damaging local or remote operations, such as the modification of 203 data, or leaking of data to untrusted resources. For example, 204 incorporating unsanitised data provided by the user via the query 205 string into the resulting page could allow attackers to inject 206 scripts into pages, similar to a cross-site scripting (XSS) 207 attack. 209 Sensitive Information: Implementations SHOULD avoid including 210 sensitive information, such as passwords, within "about" URIs. 212 The security considerations for Rare IP Address Formats and Semantic 213 Attacks, as discussed by [RFC3986] do not apply to about URIs, as 214 they do not contain either IP addresses nor userinfo components. 216 8. IANA Considerations 218 This specification requests the IANA provisionally register the 219 "about" URI scheme as specified in this document and summarized in 220 the following template, per [RFC4395]: 222 URI scheme name: about 224 Status: Permanent 226 URI scheme syntax: See RFCXXXX, Section 3 228 URI scheme semantics: See RFCXXXX, Section 1 230 Encoding considerations: Percent-encoding is allowed in "segment" 231 and "query" components. Internationalization is handled by IRI 232 processing. See Section 4. 234 Intended usage: An "about" URI is designed to be used internally by 235 applications for almost any desired purpose. See RFCXXXX, 236 Section 1 238 Applications and/or protocols that use this URI scheme name: Any 239 applications that use URIs as identifiers for private resources, 240 such as web browsers. 242 Interoperability considerations: Applications are only REQUIRED to 243 support "about:blank", and MAY choose to interpret other "about" 244 URIs differently. 246 Security considerations: Applications SHOULD ensure appropriate 247 restrictions are in place to protect sensitive information that 248 might be revealed by "about" URIs from access or modification by 249 untrusted sources. See RFCXXXX, Section 7. 251 Relevant publications: RFCXXXX 253 Contact: Joseph Holsten (joseph@josephholsten.com) 255 Author/Change controller: W3C 257 9. Acknowledgements 259 This document was made possible thanks to the input of Henri Sivonen, 260 Ian Hickson, Larry Masinter, Bjoern Hoehrmann and Julian Reschke. 262 10. References 264 10.1. Normative References 266 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 267 Requirement Levels", BCP 14, RFC 2119, March 1997. 269 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 270 10646", STD 63, RFC 3629, November 2003. 272 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 273 Resource Identifier (URI): Generic Syntax", STD 66, 274 RFC 3986, January 2005. 276 [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource 277 Identifiers (IRIs)", RFC 3987, January 2005. 279 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 280 Specifications: ABNF", STD 68, RFC 5234, January 2008. 282 [UCS] International Organization for Standardization, 283 "Information Technology - Universal Multiple-Octet Coded 284 Character Set (UCS)", ISO/IEC Standard 10646, 285 December 2003. 287 10.2. Informative References 289 [RFC4395] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and 290 Registration Procedures for New URI Schemes", BCP 35, 291 RFC 4395, February 2006. 293 [wikiabout] Wikipedia, The Free Encyclopedia, "About: URI scheme". 295 Authors' Addresses 297 Joseph Anthony Pasquale Holsten 299 EMail: joseph@josephholsten.com 300 URI: http://josephholsten.com 302 Lachlan Hunt 303 Opera Software, ASA. 305 EMail: lachlan.hunt@lachy.id.au 306 URI: http://lachy.id.au/