(In reply to :Gijs (he/him) from comment #22) > Apologies if this is a dumb question, I don't normally work on our mobile apps. But why is web content allowed to navigate to `android-app:` protocol URIs? Is that required for web compat, even without user interaction? And even if we do need it, can we at least block the ones pointing to our own app's `content:` URL provider? `android-app:` links are the way web pages open an app instead of a web page when navigating to them. We can definitely restrict them to user-interaction-only, and I think Fenix does that already.
Bug 1647078 Comment 27 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to :Gijs (he/him) from comment #22) > Apologies if this is a dumb question, I don't normally work on our mobile apps. But why is web content allowed to navigate to `android-app:` protocol URIs? Is that required for web compat, even without user interaction? And even if we do need it, can we at least block the ones pointing to our own app's `content:` URL provider? `android-app:` links are the way web pages open an app instead of a web page when navigating to them. We can definitely restrict them to user-interaction-only, and I think Fenix does that already. Also you're correct into thinking that `android-app:` should never open Firefox itself, just external apps (and we should probably check that for Fenix?). Although the same attack can be carried over by a local app on the device, which is still pretty bad.