In bug 794034 we added a simple block for tel: URIs containing * or # characters, to prevent passing USSD codes to the dialer, which would improperly act on them without confirmation. We need to look into improving the UX here, so invalid numbers give some kind of user indication or prompt rather than failing silently.
We should also look into test coverage here
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
Ian, can you provide a spec here?
Assignee: nobody → ibarlow
tracking-fennec: --- → ?
This feels like more of a forward enhancement that we'd only uplift if the current implementation is deemed undesirable by our users.
tracking-firefox17: ? → -
tracking-firefox18: ? → -
filter on [mass-p5]
Priority: -- → P5
The difference in behavior between Chrome and Firefox here is causing problems for the Google hangouts team. I've asked a couple people on the Chrome team and we're not aware of it being a problem in practice, not sure why. I've filed https://bugs.chromium.org/p/chromium/issues/detail?id=746427 to track exploring this more in Chrome. Ideally to avoid developer confusion/pain we should try to unify (maybe even standardize) our behavior here. Given the discussion at https://bugzilla.mozilla.org/show_bug.cgi?id=794034#c18 it sounds like a minimum we could perhaps agree to reject tel: links that start or end with * or #? Or perhaps this issue is really obsolete in that modern Android dialers will prevent such dangerous automatic numbers themselves (given that we apparently haven't seen this be a problem in Chrome?)
Renominating for webcompat.
tracking-fennec: + → ?
See comments from the Google hangouts team at https://bugzilla.mozilla.org/show_bug.cgi?id=1380386#c3
Note that I've run into people doing things like: <a href="tel:1-888-NNN-MMMM,111111111#"> to do a "dial a conference bridge, then enter conference id and pound sign" kind of thing. That obviously doesn't work in Firefox right now...
Henri, let's talk on Monday about what we can do here.
If all browsers needs to take action on these URLs before passing them onto the system that should probably be addressed in the HTML Standard: https://github.com/whatwg/html/issues/new.
I'm not familiar enough with the problem to know if there are dangerous codes that don't start with either * or #. However, from what I do know, it seems reasonable to me block only tel: whose start looks bad. Since we don't know what dialers do with invalid tel: URLs, it seems more prudent to me to use a start whitelist than a blacklist. I suggest we pass tel: URLs to the system only if (after normalizing the scheme to lower case) the URL starts with "tel:" followed by a digit or starts with "tel:+" followed by a digit.
And, indeed, the solution should be specced at the WHATWG level.
Escalated to the WHATWG: https://github.com/whatwg/html/issues/2875
See Also: → https://github.com/whatwg/html/issues/2875
You need to log in before you can comment on or make changes to this bug.