Open Bug 797034 Opened 12 years ago Updated 2 years ago

Improve handling of bad tel: URIs

Categories

(Core :: DOM: Navigation, defect, P5)

Product:
Core
Component:
DOM: Navigation
Platform:
All
Android
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox17 - ---
firefox18 - ---
fennec + ---

People

(Reporter: johns, Unassigned)

References

Details

(Keywords: uiwanted) 

In bug 794034 we added a simple block for tel: URIs containing * or # characters, to prevent passing USSD codes to the dialer, which would improperly act on them without confirmation. We need to look into improving the UX here, so invalid numbers give some kind of user indication or prompt rather than failing silently.
We should also look into test coverage here
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
Ian, can you provide a spec here?
Assignee: nobody → ibarlow
tracking-fennec: --- → ?
Keywords: uiwanted
This feels like more of a forward enhancement that we'd only uplift if the current implementation is deemed undesirable by our users.
tracking-firefox17: ?-
tracking-firefox18: ?-
tracking-fennec: ? → 19+
tracking-fennec: 19+ → +
Flags: needinfo?(ibarlow)
Assignee: ibarlow → nobody
Flags: needinfo?(ibarlow)
filter on [mass-p5]
Priority: -- → P5
The difference in behavior between Chrome and Firefox here is causing problems for the Google hangouts team.

I've asked a couple people on the Chrome team and we're not aware of it being a problem in practice, not sure why.  I've filed https://bugs.chromium.org/p/chromium/issues/detail?id=746427 to track exploring this more in Chrome.  Ideally to avoid developer confusion/pain we should try to unify (maybe even standardize) our behavior here.

Given the discussion at https://bugzilla.mozilla.org/show_bug.cgi?id=794034#c18 it sounds like a minimum we could perhaps agree to reject tel: links that start or end with * or #?  Or perhaps this issue is really obsolete in that modern Android dialers will prevent such dangerous automatic numbers themselves (given that we apparently haven't seen this be a problem in Chrome?)
Renominating for webcompat.
tracking-fennec: + → ?
tracking-fennec: ? → +
See comments from the Google hangouts team at https://bugzilla.mozilla.org/show_bug.cgi?id=1380386#c3
Note that I've run into people doing things like:

  <a href="tel:1-888-NNN-MMMM,111111111#">

to do a "dial a conference bridge, then enter conference id and pound sign" kind of thing.  That obviously doesn't work in Firefox right now...
Henri, let's talk on Monday about what we can do here.
Flags: needinfo?(hsivonen)
If all browsers needs to take action on these URLs before passing them onto the system that should probably be addressed in the HTML Standard: https://github.com/whatwg/html/issues/new.
I'm not familiar enough with the problem to know if there are dangerous codes that don't start with either * or #. However, from what I do know, it seems reasonable to me block only tel: whose start looks bad. Since we don't know what dialers do with invalid tel: URLs, it seems more prudent to me to use a start whitelist than a blacklist.

I suggest we pass tel: URLs to the system only if (after normalizing the scheme to lower case) the URL starts with "tel:" followed by a digit or starts with "tel:+" followed by a digit.
Flags: needinfo?(hsivonen)
And, indeed, the solution should be specced at the WHATWG level.

I'd like to echo this comment from the parent:

One change we could make is to ignore digits after pauses, which are not sent as part of the number, but rather as touch tones once the call is connected. This would mean |8005555555,#4000| would still work.

This problem is being magnified right now because Zoom provides "clickable" phone numbers which embed the '#' and which do not work on Firefox (i.e. they are not clickable). I believe that simply only rejecting the # and * which come before a pause , would be the most straight-forward solution.

With Firefox for Android 82.1.3, tel: links containing # are not blocked.

I find that the # and everything following it are dropped, but I believe that that's being done by the Android 11 dialer rather than by Firefox.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.