CH Scratchpad

design issues

• need to handle offline case gracefully
  • fragment identifiers can be used, but hacky; ping WhatWG

• static add vs. dynamic add vs. preview actions
  • spec issue: GET not very RESTful for first two cases

• security issues
  • spec: "should NEVER send https URIs to third-party sites"; need to design fallback behavior or change. todo: ask hixie what this protects
  • how do we handle URI leakage as per HTML5 4.10.2.1. todo: does fx2 handle this? sounds hard (impossible?) to fix
  • credential leakage spec verbiage sounds unimplementable
  • set up security audit
    • protocol handlers
      • figure out what URI schemes are acceptable for both source and target

• POST issues
  • use cases
  • security stuff (see biesi/hixie thread in WhatWG archives)
    • require https to prevent WiFi hotspot MiTM attacks?

P1 todos

• pref RDF work (proto & mime)
• proto dialog: lightweight XUL dialog
• MIME backend
• tweak existing ucth dialog for mime
• security review
• prefs UI for changing
• register{content,Protocol}Handler dialogs
• POST support
• prod mgmt stuff: defaults, partner contact work