Open Bug 1678994 Opened 4 years ago Updated 11 months ago

website permission to open special links in external applications not configurable

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
Firefox 84
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: natnael.kahssay, Unassigned)

References

Details

Attachments

(2 files, 1 obsolete file)

prompt_for_enabling_opening_external_links_without_asking.png
22.61 KB, image/png
Details
page_info_permissions_page.png
52.82 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

opening special links in external applications provokes a menu. Enabling for a website updates the front page of site information and it can be disabled on a website basis from their but there is no information pertaining to this feature under the permissions page of page info nor under permissions in settings.
I looked over about:config and didn't find anything resembling configuration for this feature as well.
I am looking to enable it for all websites for a given link type.

Actual results:

I wasn't able to configure which websites have access to which external link type either in page info, in preferences page or in about:config.

Expected results:

I should have been able to configure which websites have access to which external link type either in page info, in preferences page or in about:config.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Preferences

Paul, any thoughts on this?

Component: Preferences → Security
Flags: needinfo?(pbz)

I think we should add open-protocol-handler to the permissions section in about:preferences#privacy. The dialog there could also have UI to disable the permission prompt for specific protocols.
Managing double keyed permissions in the page info permission list seems too complex, so I wouldn't add it there.

Blocks: 1675046
Flags: needinfo?(pbz)

(In reply to Paul Zühlcke [:pbz] from comment #5)

I think we should add open-protocol-handler to the permissions section in about:preferences#privacy. The dialog there could also have UI to disable the permission prompt for specific protocols.
Managing double keyed permissions in the page info permission list seems too complex, so I wouldn't add it there.

Yes, we should have this kind of UI but maybe it should be close to the "Applications" section of about:preferences instead?

Severity: -- → S3

Am I right that in the reported case the external protocol handler is invoked using a bookmarklet? For org-protocol I would recommend to install a dedicated add-on. Since pages does not contain URI to launch, it is generated on the fly, extension will ensure that context of URI handler is the add-on and unrelated to page origin. Another advantage that bookmarklets may be blocked by site Content Security Policy. Launching external scheme handler from add-on is not affected by CSP, but there are unfortunately some browser bugs.

Despite what I said above, I agree with the reporter that site permissions should be configurable and available for inspection.

Attachment #9385629 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: