Open Bug 1563030 Opened 4 months ago Updated 2 months ago

Custom URL schemes are being rate limited

Categories

(Firefox :: Untriaged, defect)

67 Branch
defect
Not set

Tracking

()

UNCONFIRMED

People

(Reporter: dgross, Unassigned)

References

(Regression)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

Steps to reproduce:

See attached html for demo repro:

  • Browse to webpage that launches an external app via a custom URL scheme by modifying a hidden frame's src/location
  • Refresh page multiple times

Actual results:

In Firefox 66, this would show the "This link needs to be opened with an application" popup every time the page is hit.

In Firefox 67, the popup shows up only once every 10 seconds or so. It appears to be rate limited now.

Expected results:

The app switching popup should show up every time the page is refreshed.

Note: due to CSP issues, we cannot simply use window.location to achieve these results.

This limit is very intentionally introduced to prevent external protocols from being abused:
https://www.fxsitecompat.dev/en-CA/docs/2019/loading-of-external-protocol-url-in-iframe-is-now-blocked/

Regressed by: 1527882, 1514547

Masatoshi this is intended, the bug is invalid? Thanks

Flags: needinfo?(VYV03354)

I don't know. It might be possible to relax the limit on user input. baku?

Flags: needinfo?(VYV03354) → needinfo?(amarchesini)

At the moment we have a timing token. We could extend it to support user-interaction, yes.
Edgar, is it something you are considering to do?

Flags: needinfo?(amarchesini) → needinfo?(echen)

I didn't aware there is a timing token for iframe external protocols, and yes, the new user-interaction design should also consider this.
I am not sure if I understand your question correctly, it seems to me that it should just have the same behaviour if we move to new user-interaction design, right?

Flags: needinfo?(echen) → needinfo?(amarchesini)

I just wanted to know if you (or somebody else) is considering this external protocol timing token as part of the new user-interaction design.

Flags: needinfo?(amarchesini)
You need to log in before you can comment on or make changes to this bug.