Summary: Restrict opening external protocols from sandboxed iframes. In order to open external protocols sandboxed BrowsingContexts need to have any of the following sandbox flags:
- allow-top-navigation-to-custom-protocols - allow-popups - allow-top-navigation - allow-top-navigation-with-user-activation Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1735746 Specification: https://html.spec.whatwg.org/#hand-off-to-external-software Discussion: https://github.com/whatwg/html/issues/2191 Platform coverage: all Preference: dom.block_external_protocol_navigation_from_sandbox Other browsers: Blink: Intent to Ship <https://groups.google.com/a/chromium.org/g/blink-dev/c/-t-f7I6VvOI>WebKit: Patch <https://github.com/WebKit/WebKit/commit/91bba6b31fd89aaec6e4e9ed5a44d9bb3c91c413> web-platform-tests: Not currently covered by WPT. I’ve filed a bug for adding a test: https://bugzilla.mozilla.org/show_bug.cgi?id=1762420 However, it is unclear if it’s possible to test external protocols with the current test wrapper. I'm planning to land a patch for Nightly in the coming days and later enable it in Release if we don't run into major web compat issues. Please reach out if you have any questions or concerns about this change. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAPdF9uMmuVg74%2BFA2%2BATxrS5R2JKboQpg7d48YZqh%2B8n5KGMFQ%40mail.gmail.com.
