Discovery of Well-Known Web-Based Protocol Handlers

Introduction The recent growth of the Fediverse has highlighted a need for a quick and simple mechanism for opening URLs across instances. This specification defines a well-known URI for such purpose with the desired properties: low bandwidth cost, and low latency cost.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The use of URL throughout this document refers to the WHATWG URL Standard . The use of URI refers to BCP 190 .

Example Uses of Well-Known Web-Based Protocol Handlers

Fediverse Instance Interactions Suppose a Fediverse instance has the ability to display public posts to visiting users. Someone might share a link to a public post from said instance, say https://public.example/post/foo. Visiting users from other instances can click a "reply" or other interaction button, and when doing so, they are greeted with a dialog asking them for their instance domain. Once they fill out the dialog, they get navigated to the well-known web-based protocol handler for their instance, say https://users.example/.well-known/protocol-handler?target=https%3A%2F%2Fpublic.example%2Fpost%2Ffoo, where they can interact from their instance with the post. This workflow is demonstrated in through .

Browsing the public post directly

The interaction dialog, which shows up when clicking "reply", already filled out

The post, now seen from users.example

Web-Based Feed Readers Suppose a website provides an Atom feed . A visiting user wants to open the Atom feed with their favorite web-based feed reader. The user clicks the "Atom feed" button and is prompted for their web-based feed reader. They fill out the prompt and get navigated to the well-known web-based protocol handler for their feed reader, say, https://feedreader.example/.well-known/protocol-handler?target=feed%3A%2F%2Fwebsite.example%2Findex.atom, where they can browse and/or subscribe to the Atom feed. This workflow is demonstrated in through .

Browsing the website

The feed dialog, which shows up when clicking "Atom Feed", already filled out

The Atom feed, now seen from feedreader.example

Webmail Prompt as an Alternative to Bare mailto: Suppose a website wants to allow users to contact the website author. A visiting user clicks the "email" button and is prompted for their email address. After filling it out, the user gets navigated to the well-known web-based protocol handler for their email address, say, https://webmail.example/.well-known/protocol-handler?target=mailto%3Aauthor%40website.example%3Ffrom%3Dvisitinguser%40webmail.example. The webmail uses the embedded from value to automatically select the correct user account from the multi-account switcher. This workflow is demonstrated in through .

Browsing the website

The contact dialog, which shows up when clicking "Contact the Author", already filled out

The user's webmail

Semantics of the Well-Known Web-Based Protocol Handler The well-known web-based protocol handler SHALL accept a target query parameter. This query parameter SHALL carry an absolute-URL-with-fragment-string; see . No restrictions are placed on the URL's scheme. The choice to use the WHATWG URL specification allows the well-known web-based protocol handler to optionally be registered with the browser, should the website choose to do so, as per . The well-known web-based protocol handler is explicitly intended for navigation: a web browser will navigate to it when using it. It is up to the server to decide how to handle the given URL, but note . To support probing, a server MAY opt to return 4xx-responses for URL schemes it doesn't recognize or doesn't accept. It is NOT RECOMMENDED to use generic schemes (http, https, and the like), as they convey less information when probing.

IANA Considerations This specification registers the "protocol-handler" well-known URI in the "well-known URIs" registry as defined by RFC 8615 . URI suffix: protocol-handler Change controller: IETF Specification document(s): TBD Status: permanent Related information: Not applicable.

Security Considerations The specified well-known URI is a simple navigable resource, and the security considerations relevant to any navigable resource apply. Nevertheless, we highlight the following two vulnerabilities and recommendations as they are particularly relevant.

Open Redirect An open redirect attack occurs when an attacker uses an open redirect on a legitimate website in order to trick an unsuspecting user into visiting the attacker's phishing website. Due to the nature of the well-known URI, common mitigations such as checking Referer, Origin, and other headers, are not available here. Where possible, the provided URL SHOULD be opened within the scope of the well-known resource. Otherwise, the user MUST be notified of scope changes and be given the option to confirm or deny them.

Improper Authorization in Handler for Custom URL Scheme Some URLs may be used to carry actions. An attacker may include malicious actions in such URLs. Since this endpoint is navigable, an attacker can simply open it, sometimes even without user intervention. Servers implementing this well-known URI MUST NOT automatically execute actions based on the target URL. Ideally, servers SHOULD reject/ignore these actions altogether, and let the user execute the action in the interface they are presented with, as it's not uncommon for users to simply click "yes" or "confirm" in an attempt to dismiss prompts. In some cases, for example for message composition URLs (mailto, etc), this may simply not be possible; in these cases the server can prompt the user before executing the action.