Add new section clarifying the requirements for data urls #1582
Conversation
mattgarrish
requested review from
iherman,
danielweck,
bduga,
dauwhe,
shiestyle,
wareid,
llemeurfr and
rdeltour
epub33/core/index.html
Outdated
| @@ -448,7 +448,8 @@ <h3>Terminology</h3> | |||
| in outbound hyperlinks that resolve to <a>Remote Resources</a> (e.g., referenced from the | |||
| <code>href</code> attribute of an [[!HTML]] <a | |||
| href="https://html.spec.whatwg.org/multipage/text-level-semantics.html#the-a-element" | |||
| ><code>a</code></a> element).</p> | |||
| ><code>a</code></a> element). Resources represented by <a href="#sec-data-urls">data | |||
| URLs</a> are also not Publication Resources.</p> | |||
There was a problem hiding this comment.
This seems to allow data URLs as a mechanism to bypass the fallback chain when specifying non-core media types. So an img element referencing a file that is not supported would need to provide a fallback, but a data URL would not. And if the aren't Publication Resources, what are they? They aren't foreign resources, since those are defined to be publication resources. I am a little worried about introducing a new type of entity. Is it possible to leave them as publication resources, but remove the requirement to be listed in the manifest in 2.2.2?
There was a problem hiding this comment.
Ew, ya, that's not what I was intending at all. It was only about an exclusion from the manifest. I'll fix.
epub33/core/index.html
Outdated
| a <a>Top-Level Content Document</a> or open a new browser instance (e.g., they cannot be used in | ||
| manifest <code>item</code> elements that are referenced from the <a>spine</a>, in [[HTML]] or | ||
| [[SVG]] <code>a</code> elements (except when inside an <code>iframe</code>), or in calls to | ||
| [[ECMASCRIPT]] <code>window.open</code> or <code>document.open</code>).</p> |
There was a problem hiding this comment.
This list is exhaustive enough that it may need clarification that it is not exhaustive (in addition the "e.g." at the start). Actually might be better to introduce a new sentence here, since you have a parenthetical in the parenthetical.
There was a problem hiding this comment.
It's nearly exhaustive in that I can only see that the area element is missing from it. I'll add that case in and add a note that it's still subject to change as html, svg, etc. evolve.
epub33/core/index.html
Outdated
| [[SVG]] <code>a</code> elements (except when inside an <code>iframe</code>), or in calls to | ||
| [[ECMASCRIPT]] <code>window.open</code> or <code>document.open</code>).</p> | ||
|
|
||
| <p>This restriction on their use is to prevent security issues (i.e., phishing scams) and also to |
There was a problem hiding this comment.
I don't know if we need to list any specific security issues here, since the terms can be vague.
epub33/rs/index.html
Outdated
| @@ -172,6 +172,13 @@ <h2>EPUB Publications</h2> | |||
| href="https://www.w3.org/TR/epub-33/#sec-resource-locations">Resource Locations</a> | |||
| [[!EPUB-33]].</p> | |||
| </li> | |||
| <li> | |||
| <p id="confreq-rs-data-urls">It MUST prevent attemps at top-level navigation to data URLs | |||
There was a problem hiding this comment.
Is there a more precise term for this? Or is top-level navigation defined somewhere we can reference?
There was a problem hiding this comment.
Can we consider any top-level content document a top-level browsing context?
If so, we don't need to separate the concepts and can use only the HTML term.
I wasn't sure if they're considered equal all the time because SVG doesn't get into this level of detail. But if we consider all EPUB rendering in terms of html user agent rendering then it works.
There was a problem hiding this comment.
I've made a change to this effect with the latest commit. Worst case we keep working at massaging this text, I guess... 😄
There was a problem hiding this comment.
Can we consider any top-level content document a top-level browsing context?
I worry about that, because in implementations the spine item might not be a top-level browsing context.
There was a problem hiding this comment.
because in implementations the spine item might not be a top-level browsing context
But aren't most (all) reading systems using an html core to render content in the spine?
The problem, of course, is that we don't require this to be true, but it's probably true from a practical perspective. Maybe we could note the assumption and that an RS that doesn't use a browser core still needs to restrict access?
There was a problem hiding this comment.
I've added the following in the latest commit: "If a Reading System does not use a top-level browsing context for Top-level Content Documents, it MUST also prevent data URLs from opening as though they are Top-level Content Documents."
That's the best I can come up with since we lack any alternative name for the rendering context.
epub33/rs/index.html
Outdated
| @@ -172,6 +172,13 @@ <h2>EPUB Publications</h2> | |||
| href="https://www.w3.org/TR/epub-33/#sec-resource-locations">Resource Locations</a> | |||
| [[!EPUB-33]].</p> | |||
| </li> | |||
| <li> | |||
| <p id="confreq-rs-data-urls">It MUST prevent attemps at top-level navigation to data URLs | |||
There was a problem hiding this comment.
Is this overly restrictive? If a book has an img element with a data url, and a reading system has a "open in new window" option for images, would that be disallowed for the data url case?
There was a problem hiding this comment.
I saw something similar to this in one of the bug trackers cited in the issue. They were going to exempt it from the open option in context menus, so no harm in doing the same here.
- reestablish data URLs as publication resources - use top-level browsing context for defining the prohibited action - add area to list of prohibited usage contexts - exempt reading system UI from opening restriction
epub33/rs/index.html
Outdated
| href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context" | ||
| >top-level browsing contexts</a> [[HTML]])</p> | ||
| >top-level browsing contexts</a> [[HTML]], except when initiated through the user | ||
| interface of the Reading System (e.g., a context menu).</p> |
There was a problem hiding this comment.
Yeah, this language is tricksy :( Isn't clicking on something to make something happen part of the user interface of the RS? Not sure how to best phrase this.
There was a problem hiding this comment.
Isn't clicking on something to make something happen part of the user interface
Ya, it took a few tries to even come up with this. I wouldn't consider clicking in the content the same as the clicking a part of the user interface, but it is awkward.
Would "affordance" improve it any: "except when initiated through a Reading System affordance such as a context menu"?
There was a problem hiding this comment.
I've updated this in the latest commit.
change "reading system ui" to affordances for allowing data urls to be opened
|
The issue was discussed in a meeting on 2021-03-26 List of resolutions:
View the transcript2. Data URLs PRSee github pull request #1582. See github issue #1564. Matt Garrish: this is from what we discussed last week's call Brady Duga: its hard to get the language right so that we don't disallow things by mistake, or allow things by mistake Matt Garrish: this very much seems to be raised and discussed in the browser realm Ivan Herman: this PR does a lot that is not contentious, i think Matt Garrish: in that light, do we maybe want to keep the authoring side requirements, but leave out the RS expectations side? Ivan Herman: pref trying to do something now, even with it being incomplete, raise a separate issue about the terminology, link that issue to the text and ask for external help, e.g., from the TAG. Brady Duga: would refer this to TAG, yes Ivan Herman: also, let's mark issues as explicitly "referred to TAG for input" Dave Cramer: i'm okay with merging for now, on understanding that this is not final final
|
The issue appears a little more nuanced than we've discussed so far - top-level navigation is being restricted, but you can still link to data URLs within an iframe, for example. I've tried to craft the new section to also make this distinction.
It's also possible to use data URLs in the package document along with the various content formats, so I put the new section under publication resources. It's either forbidden or pointless to use them in the manifest, but you could, for example, embed a resource in a
linkelement.I've also noted they are subject to the foreign resource restrictions, so that limits what you can use and where.
The one complexity is how reading systems restrict top-level navigation to data URLs. I don't know that this is something we can, or should, try to be too specific about. While it's possible you might disable hyperlinks with a data scheme, that wouldn't stop scripts from opening such content. I was reading some of the bug trackers for this and it sounds like browsers may only prevent the resource from loading in the spawned window, not restrict the event that triggered it.
As a result, I've only given a very general requirement to prevent data URLs from loading, but open to alternative wording if someone knows a better way to phrase this.
Fixes #1564
Preview | Diff