| Internet-Draft | Well-Known Web-Based Protocol Handlers | July 2023 |
| Lasso | Expires 11 January 2024 | [Page] |
This document defines a well-known URI for opening URLs in arbitrary, user-provided web domains, as if the domain were a web-based protocol handler.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The recent growth of the Fediverse [W3C.activitypub] has highlighted a need for a quick and simple mechanism for opening URLs [WHATWG-URL] across instances. This specification defines a well-known URI for such purpose with the desired properties: low bandwidth cost, and low latency cost.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The use of URL throughout this document refers to the WHATWG URL Standard [WHATWG-URL]. The use of URI refers to BCP 190 [RFC8820].¶
Suppose a Fediverse instance has the ability to display public posts to visiting users. Someone
might share a link to a public post from said instance, say https://public.example/post/foo. Visiting users from other instances can click
a "reply" or other interaction button, and when doing so, they are greeted with a dialog asking
them for their instance domain. Once they fill out the dialog, they get navigated to the well-known web-based
protocol handler for their instance, say https://users.example/.well-known/protocol-handler?target=https%3A%2F%2Fpublic.example%2Fpost%2Ffoo,
where they can interact from their instance with the post. This workflow is demonstrated in Figure 1 through Figure 3.¶
+-------------------------------------------------------------+ | https://public.example/post/foo | +-------------------------------------------------------------+ | Public User said: | | Hi there! | | | | [Reply] |Boost| |Like| | +-------------------------------------------------------------+
+-------------------------------------------------------------+ | https://public.example/post/foo | +-------------------------------------------------------------+ | Public +-----------------------------------------+ | | Hi ther | To reply to this post, please type | | | | your fediverse instance domain below: | | | |Reply| | Domain: [users.example____] | | | | |Confirm| |Cancel| | | | +-----------------------------------------+ | +-------------------------------------------------------------+
+-------------------------------------------------------------+ | https://users.example/.well-known/protocol-handler?target=h | | ttps%3A%2F%2Fpublic.example%2Fpost%2Ffoo | +-------------------------------------------------------------+ | Public User from public.example said: | | Hi there! | | | | [Reply] |Boost| |Like| | +-------------------------------------------------------------+
Suppose a website provides an Atom feed [RFC4287]. A visiting user wants to open the Atom feed with their favorite
web-based feed reader. The user clicks the "Atom feed" button and is prompted for their web-based feed reader. They fill out the prompt
and get navigated to the well-known web-based protocol handler for their feed reader, say, https://feedreader.example/.well-known/protocol-handler?target=feed%3A%2F%2Fwebsite.example%2Findex.atom,
where they can browse and/or subscribe to the Atom feed. This workflow is demonstrated in Figure 4 through Figure 6.¶
+-------------------------------------------------------------+ | https://website.example/index.html | +-------------------------------------------------------------+ | Recent posts: | | - Hello world! | | | | [Atom Feed] | +-------------------------------------------------------------+
+-------------------------------------------------------------+ | https://website.example/index.html | +-------------------------------------------------------------+ | Recent +-----------------------------------------+ | | - Hello | To view this feed, please type your | | | | feed reader's domain below: | | | |Atom f | Domain: [feedreader.example____] | | | | |Confirm| |Cancel| | | | +-----------------------------------------+ | +-------------------------------------------------------------+
+-------------------------------------------------------------+ | https://feedreader.example/.well-known/protocol-handler?tar | | get=feed%3A%2F%2Fwebsite.example%2Findex.atom | +-------------------------------------------------------------+ | Posts from https://website.example/index.atom | | - Hello world! | +-------------------------------------------------------------+
mailto:
Suppose a website wants to allow users to contact the website author. A visiting user clicks the "email" button and is prompted for their email
address. After filling it out, the user gets navigated to the well-known web-based protocol handler for their email address, say, https://webmail.example/.well-known/protocol-handler?target=mailto%3Aauthor%40website.example%3Ffrom%3Dvisitinguser%40webmail.example. The webmail uses
the embedded from value to automatically select the correct user account from the multi-account switcher. This workflow is demonstrated in Figure 7 through Figure 9.¶
+-------------------------------------------------------------+ | https://website.example/index.html | +-------------------------------------------------------------+ | Recent posts: | | - Hello world! | | | | [Contact the Author] | +-------------------------------------------------------------+
+-------------------------------------------------------------+ | https://website.example/index.html | +-------------------------------------------------------------+ | Recent +-----------------------------------------+ | | - Hello | To contact the author, please type your | | | | email: [visitinguser@webmail.example__] | | | [Contac | |Confirm| |Cancel| | | | +-----------------------------------------+ | +-------------------------------------------------------------+
+-------------------------------------------------------------+ | https://webmail.example/.well-known/protocol-handler?target | | =mailto%3Aauthor%40website.example%3Ffrom%3Dvisitinguser%40 | | webmail.example | +-------------------------------------------------------------+ | To: |author@website.example | | | Subject: [______________] | | Message: | | +--------------------------------------+ | | | | | | | | | | | | | | +--------------------------------------+ | | |Send| |Save Draft| |Cancel| | +-------------------------------------------------------------+
The well-known web-based protocol handler SHALL accept a target query parameter. This query parameter SHALL carry an absolute-URL-with-fragment-string; see Section 4.3 of [WHATWG-URL]. No restrictions are placed on the URL's scheme. The choice to use the WHATWG URL specification allows the well-known web-based protocol handler to optionally be registered with the browser, should the website choose to do so, as per Section 8.9.1.4 of [WHATWG-HTML].¶
The well-known web-based protocol handler is explicitly intended for navigation: a web browser will navigate to it when using it. It is up to the server to decide how to handle the given URL, but note Security Considerations.¶
To support probing, a server MAY opt to return 4xx-responses for URL schemes it doesn't recognize or doesn't accept. It is NOT RECOMMENDED to use generic schemes (http, https, and the like), as they convey less information when probing.¶
This specification registers the "protocol-handler" well-known URI in the "well-known URIs" registry as defined by RFC 8615 [RFC8615].¶
URI suffix: protocol-handler¶
Change controller: IETF¶
Specification document(s): TBD¶
Status: permanent¶
Related information: Not applicable.¶
The specified well-known URI is a simple navigable resource, and the security considerations relevant to any navigable resource apply. Nevertheless, we highlight the following two vulnerabilities and recommendations as they are particularly relevant.¶
An open redirect attack occurs when an attacker uses an open redirect on a legitimate website in order to trick an unsuspecting user into visiting the attacker's phishing website.¶
Due to the nature of the well-known URI, common mitigations such as checking Referer, Origin, and other headers, are not available here. Where possible, the provided URL SHOULD be opened within the scope of the well-known resource. Otherwise, the user MUST be notified of scope changes and be given the option to confirm or deny them.¶
Some URLs may be used to carry actions. An attacker may include malicious actions in such URLs. Since this endpoint is navigable, an attacker can simply open it, sometimes even without user intervention.¶
Servers implementing this well-known URI MUST NOT automatically execute actions based on the target URL. Ideally, servers SHOULD reject/ignore these actions altogether, and let the user execute the action in the interface they are presented with, as it's not uncommon for users to simply click "yes" or "confirm" in an attempt to dismiss prompts. In some cases, for example for message composition URLs (mailto, etc), this may simply not be possible; in these cases the server can prompt the user before executing the action.¶