website permission to open special links in external applications not configurable
Categories
(Firefox :: Security, defect)
Tracking
()
People
(Reporter: natnael.kahssay, Unassigned)
References
Details
Attachments
(2 files, 1 obsolete file)
prompt_for_enabling_opening_external_links_without_asking.png
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Steps to reproduce:
opening special links in external applications provokes a menu. Enabling for a website updates the front page of site information and it can be disabled on a website basis from their but there is no information pertaining to this feature under the permissions page of page info nor under permissions in settings.
I looked over about:config and didn't find anything resembling configuration for this feature as well.
I am looking to enable it for all websites for a given link type.
Actual results:
I wasn't able to configure which websites have access to which external link type either in page info, in preferences page or in about:config.
Expected results:
I should have been able to configure which websites have access to which external link type either in page info, in preferences page or in about:config.
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
|
||
Comment 3•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 4•5 years ago
|
||
Paul, any thoughts on this?
|
||
Comment 5•5 years ago
•
|
||
I think we should add open-protocol-handler to the permissions section in about:preferences#privacy. The dialog there could also have UI to disable the permission prompt for specific protocols.
Managing double keyed permissions in the page info permission list seems too complex, so I wouldn't add it there.
|
|
||
Comment 7•5 years ago
|
||
(In reply to Paul Zühlcke [:pbz] from comment #5)
I think we should add
open-protocol-handlerto the permissions section in about:preferences#privacy. The dialog there could also have UI to disable the permission prompt for specific protocols.
Managing double keyed permissions in the page info permission list seems too complex, so I wouldn't add it there.
Yes, we should have this kind of UI but maybe it should be close to the "Applications" section of about:preferences instead?
|
||
Updated•3 years ago
|
Am I right that in the reported case the external protocol handler is invoked using a bookmarklet? For org-protocol I would recommend to install a dedicated add-on. Since pages does not contain URI to launch, it is generated on the fly, extension will ensure that context of URI handler is the add-on and unrelated to page origin. Another advantage that bookmarklets may be blocked by site Content Security Policy. Launching external scheme handler from add-on is not affected by CSP, but there are unfortunately some browser bugs.
Despite what I said above, I agree with the reporter that site permissions should be configurable and available for inspection.
|
||
Updated•2 years ago
|
|
||
Comment 10•1 month ago
|
||
I noticed this problem on Firefox 147.0.3 on NixOS with a Discord invite link. Clicking the link opens a browser tab on discord.com as I'd expect, but a moment later my external Discord app also pops up with the invitation. I want to be able to configure Firefox so that all external link handling goes through a consent prompt.
Under Settings > Applications, I have all actions set to either "Always ask" or "Open in Firefox", except for https, which is set to "Use Firefox (default)". There is no content type entry for Discord specifically. In response to discovering this unexpected behavior, I tried setting the preference "network.protocol-handler.external-default" to false, but that doesn't seem to have changed anything.
I don't know if this is a regression or I'm holding it wrong or what, but this breaks my model for security and privacy.
Description
•