Safelist protocol handlers for DWeb

[lidel]

This issue tracks safelisting of "ssb", "dat", "ipfs", "ipns" and "dweb" protocols within HTML spec.

Context

https://html.spec.whatwg.org/multipage/system-state.html#safelisted-scheme

This list can be changed. If there are schemes that ought to be added, please send feedback.

Motivation

Safelisted protocols do not require web+ prefix when redirect-based handler is registered via navigator.registerProtocolHandler. Additionally, browser vendors often reuse the safelist as the default for deciding which protocols can be handled by WebExtensions (example).

Safelisting DWeb protocols in HTML spec would make it possible for the community to start using non-HTTP DWeb addresses in the wild and provide users with HTTP-based gateways/readers even before native protocol handler API matures enough to be a part of WebExtensions.

Vendor Support

Historically there was the chicken and the egg problem with adding new protocols to the safelist, so it is important to emphasize that browser vendors are supportive to this change (see references below), and waiting for HTML spec.

• Firefox does not require web+ prefix for handlers registered via navigator.registerProtocolHandler, so they effectively implement change proposed in this issue.
  • Mozilla also whitelisted (patch) DWeb protocols for use in WebExtension context (Firefox 59).
• Chromium is waiting (one of reasons why this issue got created), but there is intent to implement the change if HTML spec is supportive

References

• Current safelist in HTML spec
• Whitelisting discussion within DWeb community: https://github.com/arewedistributedyet/arewedistributedyet/issues/23
• Prototyping Native Protocol Handler API for WebExtensions: mozilla/libdweb#protocol-api

[annevk]

See also #1829 and #2546.

[asankah]

Chromium is interested as per Chromium issue 651311 I'll follow up on the Chromium issue on the next steps.

[chrisdavidmills]

documentation need recorded at MDN content roadmap — https://trello.com/c/8KM2lW6p/130-safelist-protocol-handlers-for-dweb

[fred-wang]

Talking to @lidel recently, there is still community interest in supporting these protocols. From recent discussion in blink-dev [1] it seems API owners are ok extending the whitelist. Moreover, there was not any complaint on the "ssb", "dat", "ipfs", "ipns" and "dweb" protocols specifically. Igalia is happy to take over @asankah's Chromium work on this and implement it in Gecko, if the Chromium/Mozilla developers don't oppose.

There are bugs filed in Mozilla and Chromium [2] [3] and testing would be handled by extending [4]. I'm going to open a PR to the spec. Anything else needed?

(Note: Mozilla switched to a whitelist in [5] since the issue was reported, so there is still some work to do in Firefox)

[1] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/29sFh4tTdcs/K4XroilVBAAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1631446 [3] https://bugs.chromium.org/p/chromium/issues/detail?id=651311 [4] https://github.com/web-platform-tests/wpt/blob/master/html/webappapis/system-state-and-capabilities/the-navigator-object/protocol.https.html [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1476035

[fred-wang]

This issue tracks safelisting of "ssb", "dat", "ipfs", "ipns" and "dweb" protocols within HTML spec.

The dweb community reported interest for "cabal" and "hyper" schemes too.

All of them are now registered at IANA https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml

[shocknet-justin]

would like to request lightning be added as well (companion to bitcoin)

[RangerMauve]

By the way, dat:// has been deprecated and replaced with hyper://

[CDDelta]

Hi, could I request that ar:// be safelisted under the dweb category as well? If not, could you point me to what I need to do? ar:// is already a part of the IANA URI schemes registry here. Thank you :)

[fred-wang]

WHATWG progress is currently stuck on having a second browser supporting additions of new protocols in the spec.

[theDavidCoen]

"bitcoin:" is already in the list, but it would be really useful to have also "lightning:" in that.

Lightning Network (LNP) is a structure of payment channels open between private individuals and/or companies and represents the current scaling solution for Bitcoin; that's why we often called it also the Bitcoin' Second Layer. With Lightning we can potentially make hundreds of thousands if not million transactions per second and so reach any part of the World (almost) instantaneously and without any footprint on the Bitcoin blockchain. Lightning therefore constitutes a true P2P network, in full compliance with the abstract of the Bitcoin whitepaper created by Satoshi Nakamoto, while the Base (Settlement) Layer, with its blockchain, is more similar to a broadcast system, since the transaction transcription and so their irreversibility depends on the miners.

"lightning:" become a standard de facto for the Lightning wallets: we can set a string such as "lightning:LNURL" or a vanity wrapper "lighting:address@2ndleveldomain.topleveldomain" and open it with a LN app, just like we do with email app and "mailto:address@2ndleveldomain.topleveldomain".