Network Working Group J. Holsten
Internet-Draft
Intended status: Standards Track L. Hunt
Expires: June 2, 2011 Opera Software, ASA.
November 29, 2010
The 'about' URI scheme
draft-holsten-about-uri-scheme-05
Abstract
A URI using the "about:" scheme, henceforth referred to as an "about"
URI, is designed to be used internally by applications for almost any
desired purpose. Such URIs have commonly been used by web browsers
for providing access to built-in functionality, such as application
information, preferences, settings, or "easter eggs".
Editorial Note (To be removed by RFC Editor)
Discussion of this draft should take place on the URI Review mailing
list (uri-review@ietf.org).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 2, 2011.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Holsten & Hunt Expires June 2, 2011 [Page 1]
Internet-Draft The 'about' URI scheme November 2010
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
1. Introduction
An "about" URI is designed to be used internally by applications for
almost any desired purpose. Such URIs have commonly been used by web
browsers for providing access to built-in functionality, such as
application information, preferences, settings, or "easter eggs".
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. URI Syntax
The general syntax of an "about" URI is defined below using ABNF
[RFC5234]:
abouturi = "about:" segment [ "?" query ]
where "segment" and "query" are defined in [RFC3986].
4. Encoding Considerations
Because many characters are not permitted with this syntax, the
"segment" and "query" elements MAY contain characters from the
Unicode Character Set [UCS] as suggested by URI [RFC3986], by first
encoding those characters as octets to the UTF-8 character encoding
[RFC3629]; then only those octets that do not correspond to
characters in the unreserved set [RFC3986] SHOULD be percent-encoded.
By using UTF-8 encoding, there are no known compatibility issues with
mapping Internationalized Resource Identifiers to "about" URIs
according to [RFC3987]. Since "about" URIs do not use domain names,
"ireg-name" conversion is unnecessary.
5. Resolving "about" URIs
A reserved "about" URI is one that is defined by a specification for
a specific purpose, which MAY also be defined to be resolvable.
Holsten & Hunt Expires June 2, 2011 [Page 2]
Internet-Draft The 'about' URI scheme November 2010
An unreserved "about" URI is any other "about" URI that is not
defined by a specification for a specific purpose, but which MAY be
recognized by an application.
An unrecognized "about" URI is an "about" URI that is not recognized
by an application.
5.1. Reserved "about" URIs
Other specifications MAY reserve "about" URIs. Applications
attempting to resolve reserved "about" URIs that are not defined to
be resolvable, MAY treat such URIs as being unreserved.
5.1.1. about:blank
The "about" URI with the segment equal to "blank" and no query
component is reserved by this specification. i.e. "about:blank".
Applications resolving the URI "about:blank" MUST return a resource
of zero length, containing no data, with the media type "text/html"
and the character encoding "UTF-8".
Note: If a query component is provided with "about:blank", such as
"about:blank?" or "about:blank?foo", then the URI is not considered
to be reserved by this specification.
5.2. Unreserved "about" URIs
Applications MAY resolve any unreserved "about" URI to any resource,
either internal or external, or redirect to an alternative URI.
Note: As "about" URIs are designed to be internal to each
application, there is no expectation of any unreserved URI returning
the same resource among different applications. However, it is worth
noting that some conventions have arisen for providing particular
functionality via common "about" URIs.
5.3. Unrecognized "about" URIs
Applications SHOULD resolve unrecognized "about" URIs in the same way
as "about:blank".
5.4. Examples
The following examples illustrate some known URIs supported by
existing applications. They are not guaranteed to be resolvable by
every application.
Holsten & Hunt Expires June 2, 2011 [Page 3]
Internet-Draft The 'about' URI scheme November 2010
about:config Commonly provides access to application preferences and
settings
about:cache Commonly provides access to information about resources
stored in the browsers cache. Current Mozilla Firefox
implementations also accept a query string to specify a specific
device to show more information about. e.g. about:
cache?device=offline provides details about the offline cache.
about:plugins Commonly provides access to information about
installed plugins
about:mozilla An easter egg supported by Mozilla showing a passage
from the fictional Book of Mozilla
Applications are also permitted to redirect such URIs. For example,
Opera redirects all "about" URIs, with the exception of
"about:blank", to the equivalent URI using their internal "opera:"
scheme. e.g. "about:config" redirects to "opera:config".
This is not an exhaustive list. Many more are supported by numerous
applications. For more examples, consult Wikipedia's entry on the
"about: URI Scheme" [wikiabout].
6. Normalization
"about" URIs use the standard URI normalization rules [RFC3986],
specifically Simple String Comparison, Case Normalization, and
Percent-Encoding Normalization. For example, "about:blank",
"about:blan%6B" and "about:blan%6b" are equivalent, though the
percent-encoded forms are discouraged. Due to the structure of
"about" URIs, some normalizations do not apply, specifically Syntax-
Based Normalization, Scheme-Based Normalization, and Protocol-Based
Normalization. For example, "about:blank" is not equivalent to
"about:BLANK", "about:blank?" or "about:blank:", each MAY represent a
different resource. Similarly, "about:blank%3F" is not equivalent to
"about:blank?".
7. Security Considerations
"about" URIs might identify resources that reveal sensitive
information. Applications SHOULD ensure appropriate restrictions are
in place to protect such information from access or modification by
untrusted sources.
Implementations SHOULD also take note of the security considerations
described by [RFC3986]. In particular, the following issues SHOULD
be considered:
Holsten & Hunt Expires June 2, 2011 [Page 4]
Internet-Draft The 'about' URI scheme November 2010
Reliability and Consistency: Implementations are responsible for the
reliability and consistency of the resources returned. However,
implementations SHOULD take care with "about" URIs that might
redirect to, or otherwise return a resource that might
subsequently access, remote resources, which might not be reliable
or consistent.
Malicious Construction: Implementations SHOULD take care to prevent
the construction of "about" URIs that might inadvertently perform
damaging local or remote operations, such as the modification of
data, or leaking of data to untrusted resources. For example,
incorporating unsanitised data provided by the user via the query
string into the resulting page could allow attackers to inject
scripts into pages, similar to a cross-site scripting (XSS)
attack.
Sensitive Information: Implementations SHOULD avoid including
sensitive information, such as passwords, within "about" URIs.
The security considerations for Rare IP Address Formats and Semantic
Attacks, as discussed by [RFC3986] do not apply to about URIs, as
they do not contain either IP addresses nor userinfo components.
8. IANA Considerations
This specification requests the IANA provisionally register the
"about" URI scheme as specified in this document and summarized in
the following template, per [RFC4395]:
URI scheme name: about
Status: Permanent
URI scheme syntax: See RFCXXXX, Section 3
URI scheme semantics: See RFCXXXX, Section 1
Encoding considerations: Percent-encoding is allowed in "segment"
and "query" components. Internationalization is handled by IRI
processing. See Section 4.
Intended usage: An "about" URI is designed to be used internally by
applications for almost any desired purpose. See RFCXXXX,
Section 1
Holsten & Hunt Expires June 2, 2011 [Page 5]
Internet-Draft The 'about' URI scheme November 2010
Applications and/or protocols that use this URI scheme name: Any
applications that use URIs as identifiers for private resources,
such as web browsers.
Interoperability considerations: Applications are only REQUIRED to
support "about:blank", and MAY choose to interpret other "about"
URIs differently.
Security considerations: Applications SHOULD ensure appropriate
restrictions are in place to protect sensitive information that
may be revealed by "about" URIs from access or modification by
untrusted sources. See RFCXXXX, Section 7.
Relevant publications: RFCXXXX
Contact: Joseph Holsten (joseph@josephholsten.com)
Author/Change controller: W3C
9. Acknowledgements
This document was made possible thanks to the input of Henri Sivonen,
Ian Hickson, Larry Masinter, Bjoern Hoehrmann and Julian Reschke.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource
Identifiers (IRIs)", RFC 3987, January 2005.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[UCS] International Organization for Standardization,
"Information Technology - Universal Multiple-Octet Coded
Character Set (UCS)", ISO/IEC Standard 10646,
December 2003.
Holsten & Hunt Expires June 2, 2011 [Page 6]
Internet-Draft The 'about' URI scheme November 2010
10.2. Informative References
[RFC4395] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and
Registration Procedures for New URI Schemes", BCP 35,
RFC 4395, February 2006.
[wikiabout] Wikipedia, The Free Encyclopedia, "About: URI scheme".
Authors' Addresses
Joseph Anthony Pasquale Holsten
EMail: joseph@josephholsten.com
URI: http://josephholsten.com
Lachlan Hunt
Opera Software, ASA.
EMail: lachlan.hunt@lachy.id.au
URI: http://lachy.id.au/
Holsten & Hunt Expires June 2, 2011 [Page 7]
