Whitelisting bitcoin: URI handler in navigator.registerProtocolHandler()?

281 views
Skip to first unread message

Mikko Ohtamaa

unread,
Jun 24, 2014, 8:23:36 AM6/24/14
to chromium...@chromium.org
Hi,

Bitcoin payments have a standard bitcoin: URI scheme described in https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki When registering a handler for this protocol via JavaScript navigator.registerProtocolHandler() the user can initiate Bitcoin payments from their web wallets (LocalBitcoins, Coinbase, BlockChain.info to name a few). Bitcoin payment is done simply by clicking the Bitcoin payment URL, which opens a payment page in the wallet, making the payment process very straightforward. For now, Chromium users needs to copy-paste two separate tokens (bitcoin address, amount) from a page to another to make a payment from the web wallet. Firefox supports registering a handler for bitcoin: URIs.

Currently Chromium / Chrome does not allow registering bitcoin: handlers via JavaScript by web wallets. It is available only via browser extensions. What it would take to make this possible without using extensions? The hardcoded whitelist is defined here: https://code.google.com/p/chromium/codesearch#chromium/src/chrome/installer/util/shell_util.cc&q=nntp&sq=package:chromium&l=1416&type=cs

Security implications

- bitcoin: URI scheme has an open specification https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki

- There are several compatible wallet implementations, both web and desktop having support for bitcoin: Implementation diversity lowers the risk for using bitcoin: URIs as an attack vector against native applications.

- All Bitcoin wallets require user interaction after bitcoin: URI opening, so automated attacks against URIs are not likely

- Currently there exist many malicious Chrome browser extensions which steal the bitcoins of the user. Whitelisting the protocol handler would eliminate the need for using browser extensions, thus making the web generally a safer place for Bitcoin users. http://www.coindesk.com/chrome-extension-could-vulnerable-malware/

Implementation implications

- Is there any decided process / stance how new protocol handlers should be whitelisted?

- What tests are needed to get bitcoin: URIs whitelisted?

If the Chromium team does not see any problems going forward with this, I can

More info

- https://developer.mozilla.org/en-US/docs/Web/API/navigator.registerProtocolHandler

Cheers,
Mikko Ohtamaa
http://opensourcehacker.com
http://twitter.com/moo9000

Peter Beverloo

unread,
Jun 24, 2014, 8:27:36 AM6/24/14
to mi...@redinnovation.com, Chromium-discuss
The list of whitelisted schemes is defined by the WHATWG specification:

Since our implementation follows this list, the best course of action is to get agreement in the WHATWG (by e-mailing the wha...@whatwg.org list) about this addition, after which browsers can adopt the changes.

Thanks,
Peter


--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

PhistucK

unread,
Jun 24, 2014, 8:28:54 AM6/24/14
to Peter Beverloo, mi...@redinnovation.com, Chromium-discuss
It is actually there already.


PhistucK

Mikko Ohtamaa

unread,
Jun 24, 2014, 9:41:25 AM6/24/14
to chromium...@chromium.org, pe...@chromium.org, mi...@redinnovation.com
Hi,


On Tuesday, June 24, 2014 3:28:54 PM UTC+3, PhistucK wrote:
It is actually there already.
On Tue, Jun 24, 2014 at 3:26 PM, Peter Beverloo <pe...@chromium.org> wrote:
The list of whitelisted schemes is defined by the WHATWG specification:

Since our implementation follows this list, the best course of action is to get agreement in the WHATWG (by e-mailing the wha...@whatwg.org list) about this addition, after which browsers can adopt the changes.

So, what's the procedure to go forward with the change? :)

Cheers,
Mikko

 
Reply all
Reply to author
Forward
0 new messages