The 'about' URI scheme
draft-holsten-about-uri-scheme-05

Abstract

A URI using the about: scheme, henceforth referred to as an about URI, is designed to be used internally by applications for almost any desired purpose. Such URIs have commonly been used by web browsers for providing access to built-in functionality, such as application information, preferences, settings, or "easter eggs".

Editorial Note (To be removed by RFC Editor)

Discussion of this draft should take place on the URI Review mailing list (uri-review@ietf.org).

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

This Internet-Draft will expire on June 2, 2011.

Copyright Notice

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

1.  Introduction

An about URI is designed to be used internally by applications for almost any desired purpose. Such URIs have commonly been used by web browsers for providing access to built-in functionality, such as application information, preferences, settings, or "easter eggs".

2.  Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).

3.  URI Syntax

The general syntax of an about URI is defined below using ABNF (Crocker, D. and P. Overell, “Augmented BNF for Syntax Specifications: ABNF,” January 2008.) [RFC5234]:

                    abouturi = "about:" segment [ "?" query ]

where segment and query are defined in [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.).

4.  Encoding Considerations

Because many characters are not permitted with this syntax, the segment and query elements MAY contain characters from the Unicode Character Set (International Organization for Standardization, “Information Technology - Universal Multiple-Octet Coded Character Set (UCS),” December 2003.) [UCS] as suggested by URI (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) [RFC3986], by first encoding those characters as octets to the UTF-8 character encoding (Yergeau, F., “UTF-8, a transformation format of ISO 10646,” November 2003.) [RFC3629]; then only those octets that do not correspond to characters in the unreserved set (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) [RFC3986] SHOULD be percent-encoded.

By using UTF-8 encoding, there are no known compatibility issues with mapping Internationalized Resource Identifiers to about URIs according to [RFC3987] (Duerst, M. and M. Suignard, “Internationalized Resource Identifiers (IRIs),” January 2005.). Since about URIs do not use domain names, ireg-name conversion is unnecessary.

5.  Resolving "about" URIs

A reserved about URI is one that is defined by a specification for a specific purpose, which MAY also be defined to be resolvable.

An unreserved about URI is any other about URI that is not defined by a specification for a specific purpose, but which MAY be recognized by an application.

An unrecognized about URI is an about URI that is not recognized by an application.

5.1.  Reserved "about" URIs

Other specifications MAY reserve about URIs. Applications attempting to resolve reserved about URIs that are not defined to be resolvable, MAY treat such URIs as being unreserved.

5.1.1.  about:blank

The about URI with the segment equal to blank and no query component is reserved by this specification. i.e. about:blank. Applications resolving the URI about:blank MUST return a resource of zero length, containing no data, with the media type text/html and the character encoding "UTF-8".

Note: If a query component is provided with about:blank, such as about:blank? or about:blank?foo, then the URI is not considered to be reserved by this specification.

5.2.  Unreserved "about" URIs

Applications MAY resolve any unreserved about URI to any resource, either internal or external, or redirect to an alternative URI.

Note: As about URIs are designed to be internal to each application, there is no expectation of any unreserved URI returning the same resource among different applications. However, it is worth noting that some conventions have arisen for providing particular functionality via common about URIs.

5.3.  Unrecognized "about" URIs

Applications SHOULD resolve unrecognized about URIs in the same way as "about:blank (about:blank)".

5.4.  Examples

The following examples illustrate some known URIs supported by existing applications. They are not guaranteed to be resolvable by every application.

about:config

Commonly provides access to application preferences and settings

about:cache

Commonly provides access to information about resources stored in the browsers cache. Current Mozilla Firefox implementations also accept a query string to specify a specific device to show more information about. e.g. about:cache?device=offline provides details about the offline cache.

about:plugins

Commonly provides access to information about installed plugins

about:mozilla

An easter egg supported by Mozilla showing a passage from the fictional Book of Mozilla

Applications are also permitted to redirect such URIs. For example, Opera redirects all about URIs, with the exception of about:blank, to the equivalent URI using their internal opera: scheme. e.g. about:config redirects to opera:config.

This is not an exhaustive list. Many more are supported by numerous applications. For more examples, consult Wikipedia's entry on the "about: URI Scheme" (Wikipedia, The Free Encyclopedia, “About: URI scheme,” .) [wikiabout].

6.  Normalization

about URIs use the standard URI normalization rules (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) [RFC3986], specifically Simple String Comparison, Case Normalization, and Percent-Encoding Normalization. For example, about:blank, about:blan%6B and about:blan%6b are equivalent, though the percent-encoded forms are discouraged. Due to the structure of about URIs, some normalizations do not apply, specifically Syntax-Based Normalization, Scheme-Based Normalization, and Protocol-Based Normalization. For example, about:blank is not equivalent to about:BLANK, about:blank? or about:blank:, each MAY represent a different resource. Similarly, about:blank%3F is not equivalent to about:blank?.

7.  Security Considerations

about URIs might identify resources that reveal sensitive information. Applications SHOULD ensure appropriate restrictions are in place to protect such information from access or modification by untrusted sources.

Implementations SHOULD also take note of the security considerations described by [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.). In particular, the following issues SHOULD be considered:

Reliability and Consistency:

Implementations are responsible for the reliability and consistency of the resources returned. However, implementations SHOULD take care with about URIs that might redirect to, or otherwise return a resource that might subsequently access, remote resources, which might not be reliable or consistent.

Malicious Construction:

Implementations SHOULD take care to prevent the construction of about URIs that might inadvertently perform damaging local or remote operations, such as the modification of data, or leaking of data to untrusted resources. For example, incorporating unsanitised data provided by the user via the query string into the resulting page could allow attackers to inject scripts into pages, similar to a cross-site scripting (XSS) attack.

Sensitive Information:

Implementations SHOULD avoid including sensitive information, such as passwords, within about URIs.

The security considerations for Rare IP Address Formats and Semantic Attacks, as discussed by [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) do not apply to about URIs, as they do not contain either IP addresses nor userinfo components.

8.  IANA Considerations

This specification requests the IANA provisionally register the about URI scheme as specified in this document and summarized in the following template, per [RFC4395] (Hansen, T., Hardie, T., and L. Masinter, “Guidelines and Registration Procedures for New URI Schemes,” February 2006.):

URI scheme name:

about

Status:

Permanent

URI scheme syntax:

See RFCXXXX, Section 3 (URI Syntax)

URI scheme semantics:

See RFCXXXX, Section 1 (Introduction)

Encoding considerations:

Percent-encoding is allowed in segment and query components. Internationalization is handled by IRI processing. See Section 4 (Encoding Considerations).

Intended usage:

An about URI is designed to be used internally by applications for almost any desired purpose. See RFCXXXX, Section 1 (Introduction)

Applications and/or protocols that use this URI scheme name:

Any applications that use URIs as identifiers for private resources, such as web browsers.

Interoperability considerations:

Applications are only REQUIRED to support about:blank, and MAY choose to interpret other about URIs differently.

Security considerations:

Applications SHOULD ensure appropriate restrictions are in place to protect sensitive information that might be revealed by about URIs from access or modification by untrusted sources. See RFCXXXX, Section 7 (Security Considerations).

Relevant publications:

RFCXXXX

Contact:

Joseph Holsten (joseph@josephholsten.com)

Author/Change controller:

W3C

9.  Acknowledgements

This document was made possible thanks to the input of Henri Sivonen, Ian Hickson, Larry Masinter, Bjoern Hoehrmann and Julian Reschke.

10.  References

10.1. Normative References

10.2. Informative References

Authors' Addresses