Improve handling of bad tel: URIs




Document Navigation
6 years ago
9 months ago


(Reporter: johns, Unassigned)




Firefox Tracking Flags

(firefox17-, firefox18-, fennec+)




6 years ago
In bug 794034 we added a simple block for tel: URIs containing * or # characters, to prevent passing USSD codes to the dialer, which would improperly act on them without confirmation. We need to look into improving the UX here, so invalid numbers give some kind of user indication or prompt rather than failing silently.

Comment 1

6 years ago
We should also look into test coverage here
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
Ian, can you provide a spec here?
Assignee: nobody → ibarlow
tracking-fennec: --- → ?
Keywords: uiwanted

Comment 3

6 years ago
This feels like more of a forward enhancement that we'd only uplift if the current implementation is deemed undesirable by our users.
tracking-firefox17: ? → -
tracking-firefox18: ? → -
tracking-fennec: ? → 19+
tracking-fennec: 19+ → +
Flags: needinfo?(ibarlow)


5 years ago
Assignee: ibarlow → nobody
Flags: needinfo?(ibarlow)
filter on [mass-p5]
Priority: -- → P5


9 months ago
Duplicate of this bug: 1380386

Comment 6

9 months ago
The difference in behavior between Chrome and Firefox here is causing problems for the Google hangouts team.

I've asked a couple people on the Chrome team and we're not aware of it being a problem in practice, not sure why.  I've filed to track exploring this more in Chrome.  Ideally to avoid developer confusion/pain we should try to unify (maybe even standardize) our behavior here.

Given the discussion at it sounds like a minimum we could perhaps agree to reject tel: links that start or end with * or #?  Or perhaps this issue is really obsolete in that modern Android dialers will prevent such dangerous automatic numbers themselves (given that we apparently haven't seen this be a problem in Chrome?)
Renominating for webcompat.
tracking-fennec: + → ?
tracking-fennec: ? → +

Comment 8

9 months ago
See comments from the Google hangouts team at
Note that I've run into people doing things like:

  <a href="tel:1-888-NNN-MMMM,111111111#">

to do a "dial a conference bridge, then enter conference id and pound sign" kind of thing.  That obviously doesn't work in Firefox right now...
Henri, let's talk on Monday about what we can do here.
Flags: needinfo?(hsivonen)

Comment 11

9 months ago
If all browsers needs to take action on these URLs before passing them onto the system that should probably be addressed in the HTML Standard:
I'm not familiar enough with the problem to know if there are dangerous codes that don't start with either * or #. However, from what I do know, it seems reasonable to me block only tel: whose start looks bad. Since we don't know what dialers do with invalid tel: URLs, it seems more prudent to me to use a start whitelist than a blacklist.

I suggest we pass tel: URLs to the system only if (after normalizing the scheme to lower case) the URL starts with "tel:" followed by a digit or starts with "tel:+" followed by a digit.
Flags: needinfo?(hsivonen)
And, indeed, the solution should be specced at the WHATWG level.
You need to log in before you can comment on or make changes to this bug.