Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallowing file URLs #2324

Closed
iherman opened this issue Jun 5, 2022 · 1 comment · Fixed by #2329
Closed

Disallowing file URLs #2324

iherman opened this issue Jun 5, 2022 · 1 comment · Fixed by #2329
Labels
Cat-Security Grouping label for all security related issues EPUB33 Issues addressed in the EPUB 3.3 revision Spec-EPUB3 The issue affects the core EPUB 3.3 Recommendation

Comments

@iherman
Copy link
Member

iherman commented Jun 5, 2022

(This is a spin-off of a discussion in #2266, also raised during the discussion with @GJFR at the EPUB meeting; raising it as a separate issue for a better tracking)

At the moment, the only reference to file: URLs in the spec is a SHOULD NOT for the href attribute in the package file. These urls are obvious security issues for content documents that are supposed to be 'installed' in various places, and there is no reason to use them. The proposal is to explicitly disallow their usage in EPUB.
@iherman iherman added the Cat-Security Grouping label for all security related issues label Jun 5, 2022
This was referenced Jun 5, 2022
Merged
Merged
@iherman iherman added the Agenda+ Issues that should be discussed during the next working group call. label Jun 8, 2022
@iherman
Copy link
Member Author

iherman commented Jun 10, 2022

The issue was discussed in a meeting on 2022-06-09

List of resolutions:

View the transcript

1. Disallowing File URLs.

See github issue epub-specs#2324.

See github pull request epub-specs#2329.

Dave Cramer: I can't think of good reason to have these, but a lot of good reasons to prohibit them.

Brady Duga: yes, sounds good. File URLs seem to be interoperable. What file would you load from an epub?.

Ben Schroeter: most common thing i've seen is youtube videos, but those aren't file URLs, right?.

Brady Duga: depends on how the epub is created. Could be a link to youtube, or link to external resource that plays in your epub, but neither of those are file URLs.

Dave Cramer: file URL goes against idea that epub should be self contained, you don't want epub author to look at your files in your local machine.

Ben Schroeter: when Play gets file URL what happens?.

Brady Duga: probably gets stripped on the server, but probably gets intercepted and rejected. We might try to open it in the browser, but then the browser would probably reject it.
… there are also a lot of origin issues with file URLs.

Dave Cramer: I propose we forbid file URLs.

Brady Duga: there's already a PR open for that.

Proposed resolution: Remove file URLs, merge PR 2329 and close issue 2324. (Wendy Reid)

Ben Schroeter: +1.

Dave Cramer: +1.

Brady Duga: +1.

Masakazu Kitahara: +1.

Wendy Reid: +1.

Matthew Chan: +1.

Matt Garrish: +1.

Ben Schroeter: +1.

Toshiaki Koike: +1.

Resolution #1: Remove file URLs, merge PR 2329 and close issue 2324.

@mattgarrish mattgarrish mentioned this issue Jun 20, 2022
Closed
@iherman iherman mentioned this issue Jun 24, 2022
Closed
@mattgarrish mattgarrish added EPUB33 Issues addressed in the EPUB 3.3 revision and removed Agenda+ Issues that should be discussed during the next working group call. labels Jul 2, 2022
@mattgarrish mattgarrish added the Spec-EPUB3 The issue affects the core EPUB 3.3 Recommendation label Sep 14, 2022
@wareid wareid mentioned this issue Feb 14, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Cat-Security Grouping label for all security related issues EPUB33 Issues addressed in the EPUB 3.3 revision Spec-EPUB3 The issue affects the core EPUB 3.3 Recommendation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disallow file URLs w3c/epub-specs
2 participants
@iherman @mattgarrish