On Wed, Jul 8, 2026 at 9:28 AM Michael Catanzaro <[email protected]> wrote:
>
> I don't necessarily disagree, but there is a reason why it is this way. 
> Consider:
>
> On Wed, Jul 8, 2026 at 1:32 PM, Daniel P. Berrangé wrote:
>
> --
> |: https://berrange.com ~~  https://hachyderm.io/@berrange :|
> |: https://libvirt.org ~~  https://entangle-photo.org :|
> |: https://pixelfed.art/berrange ~~  https://fstop138.berrange.com :|
>
> --
> _______________________________________________
> devel mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://forge.fedoraproject.org/infra/tickets/issues/new
>
>
> Yes, I just quoted only the footer of your mail. Look at all those 
> hyperlinks. What happens when you click on the link? Assuming your email 
> client is running under Flatpak, then currently it opens in a web browser. 
> But if we change the OpenURI portal to display UI, then you'll instead see a 
> dialog prompting you to select an application in which to open the link. And 
> now the user is likely pretty annoyed, because users like to click on links. 
> Lots and lots of links. Who doesn't? So we have to consider the trade-off 
> between quality user experience vs. risk of messing up by installing a risky 
> desktop file.
>
> Of course there are possible middle ground solutions. We could choose to 
> allowlist http:// and https:// URLs, and possibly even mailto: and tel:, on 
> the assumption that these are very likely safe. But confusingly, the OpenURI 
> portal handles not just URLs, but also files. Any desktop file that can 
> handle MIME types is implicated. So download an image in your web browser and 
> click on it: do you want it to open in your image viewer (probably?) or do 
> you want to see some sort of security prompt?

If we're going to bring the discussion of the underlying mechanisms
here, some users *do* want to see security prompts even when opening
safe URL types liike HTTPS. If I have an application with a network
namespace that forces everything it does through Tor (oniux does
this), and that application tries to open an HTTPS link using the
default MIME handler, I do *not* want it to just open, because that
allows my network-confined application to make an HTTP request outside
of its network namespace. If an attacker controls the URL that is
opened and the server hosting the content that URL reaches out to, now
they can deanonymize me.

Somewhere I suggested adding a "paranoid mode" config option to
xdg-desktop-portal for always showing prompts even if the answer to
"what app should I open" should be obvious. I think this was in a
private report that I sent to flatpak-security some months back.

--
Aaron
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to