On Wed, Jul 8, 2026 at 9:28 AM Michael Catanzaro <[email protected]> wrote: > > I don't necessarily disagree, but there is a reason why it is this way. > Consider: > > On Wed, Jul 8, 2026 at 1:32 PM, Daniel P. Berrangé wrote: > > -- > |: https://berrange.com ~~ https://hachyderm.io/@berrange :| > |: https://libvirt.org ~~ https://entangle-photo.org :| > |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| > > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new > > > Yes, I just quoted only the footer of your mail. Look at all those > hyperlinks. What happens when you click on the link? Assuming your email > client is running under Flatpak, then currently it opens in a web browser. > But if we change the OpenURI portal to display UI, then you'll instead see a > dialog prompting you to select an application in which to open the link. And > now the user is likely pretty annoyed, because users like to click on links. > Lots and lots of links. Who doesn't? So we have to consider the trade-off > between quality user experience vs. risk of messing up by installing a risky > desktop file. > > Of course there are possible middle ground solutions. We could choose to > allowlist http:// and https:// URLs, and possibly even mailto: and tel:, on > the assumption that these are very likely safe. But confusingly, the OpenURI > portal handles not just URLs, but also files. Any desktop file that can > handle MIME types is implicated. So download an image in your web browser and > click on it: do you want it to open in your image viewer (probably?) or do > you want to see some sort of security prompt?
If we're going to bring the discussion of the underlying mechanisms here, some users *do* want to see security prompts even when opening safe URL types liike HTTPS. If I have an application with a network namespace that forces everything it does through Tor (oniux does this), and that application tries to open an HTTPS link using the default MIME handler, I do *not* want it to just open, because that allows my network-confined application to make an HTTP request outside of its network namespace. If an attacker controls the URL that is opened and the server hosting the content that URL reaches out to, now they can deanonymize me. Somewhere I suggested adding a "paranoid mode" config option to xdg-desktop-portal for always showing prompts even if the answer to "what app should I open" should be obvious. I think this was in a private report that I sent to flatpak-security some months back. -- Aaron -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
