Improve handling of bad tel: URIs
Categories
(Core :: DOM: Navigation, defect, P5)
Tracking
()
People
(Reporter: johns, Unassigned)
References
Details
(Keywords: uiwanted)
In bug 794034 we added a simple block for tel: URIs containing * or # characters, to prevent passing USSD codes to the dialer, which would improperly act on them without confirmation. We need to look into improving the UX here, so invalid numbers give some kind of user indication or prompt rather than failing silently.
Reporter | ||
Comment 1•12 years ago
|
||
We should also look into test coverage here
Comment 2•12 years ago
|
||
Ian, can you provide a spec here?
Comment 3•12 years ago
|
||
This feels like more of a forward enhancement that we'd only uplift if the current implementation is deemed undesirable by our users.
Updated•12 years ago
|
Updated•12 years ago
|
Updated•12 years ago
|
Updated•11 years ago
|
Comment 6•7 years ago
|
||
The difference in behavior between Chrome and Firefox here is causing problems for the Google hangouts team. I've asked a couple people on the Chrome team and we're not aware of it being a problem in practice, not sure why. I've filed https://bugs.chromium.org/p/chromium/issues/detail?id=746427 to track exploring this more in Chrome. Ideally to avoid developer confusion/pain we should try to unify (maybe even standardize) our behavior here. Given the discussion at https://bugzilla.mozilla.org/show_bug.cgi?id=794034#c18 it sounds like a minimum we could perhaps agree to reject tel: links that start or end with * or #? Or perhaps this issue is really obsolete in that modern Android dialers will prevent such dangerous automatic numbers themselves (given that we apparently haven't seen this be a problem in Chrome?)
Comment 8•7 years ago
|
||
See comments from the Google hangouts team at https://bugzilla.mozilla.org/show_bug.cgi?id=1380386#c3
Comment 9•7 years ago
|
||
Note that I've run into people doing things like: <a href="tel:1-888-NNN-MMMM,111111111#"> to do a "dial a conference bridge, then enter conference id and pound sign" kind of thing. That obviously doesn't work in Firefox right now...
Comment 10•7 years ago
|
||
Henri, let's talk on Monday about what we can do here.
Comment 11•7 years ago
|
||
If all browsers needs to take action on these URLs before passing them onto the system that should probably be addressed in the HTML Standard: https://github.com/whatwg/html/issues/new.
Comment 12•7 years ago
|
||
I'm not familiar enough with the problem to know if there are dangerous codes that don't start with either * or #. However, from what I do know, it seems reasonable to me block only tel: whose start looks bad. Since we don't know what dialers do with invalid tel: URLs, it seems more prudent to me to use a start whitelist than a blacklist. I suggest we pass tel: URLs to the system only if (after normalizing the scheme to lower case) the URL starts with "tel:" followed by a digit or starts with "tel:+" followed by a digit.
Comment 13•7 years ago
|
||
And, indeed, the solution should be specced at the WHATWG level.
Comment 14•7 years ago
|
||
Escalated to the WHATWG: https://github.com/whatwg/html/issues/2875
Comment 16•4 years ago
•
|
||
I'd like to echo this comment from the parent:
One change we could make is to ignore digits after pauses, which are not sent as part of the number, but rather as touch tones once the call is connected. This would mean |8005555555,#4000| would still work.
This problem is being magnified right now because Zoom provides "clickable" phone numbers which embed the '#' and which do not work on Firefox (i.e. they are not clickable). I believe that simply only rejecting the # and * which come before a pause , would be the most straight-forward solution.
Comment 17•4 years ago
|
||
With Firefox for Android 82.1.3, tel: links containing # are not blocked.
I find that the # and everything following it are dropped, but I believe that that's being done by the Android 11 dialer rather than by Firefox.
Updated•2 years ago
|
Description
•