mailto links open mail application without prompt
Reported by
yigityil...@gmail.com,
Mar 21 2018
|
||
Issue descriptionSummary: A Website can open the application without user permission with Google Chrome and A website can command the any application with Google Chrome Steps to reproduce: 1- Open "proofofconcept.html" with Google Chrome Actual results: A Website can open the application without user permission with Google Chrome and A website can command the any application with Google Chrome Expected Results: Question function should be add(for example: "Do you want open it in Mail ?") Notes: Chrome asks questions to start other apps but does not ask for mail. Attack Senario: Website can do it consistently for some ads or malafide(+18 App Store app redirecting or +18 Personnel Phone Numbers can open in Messages. Website can create a erotic or spam content mail.)People may encounter things they do not want to see Version: 65.0.3325.181 Platform: Windows 10 x64 Home Single Language
,
Mar 21 2018
Essentially the same as Issue 329188 ; Issue 78592 is related in that it proposes a gesture requirement for protocol invocation.
,
Mar 22 2018
Hello, Google chrome ask question for start skype or 3rd party application and system application. But Google Chrome not asking for “mailto://“ . If you test with other schemes (see: https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-default-app), Google Chrome ask question for start app
,
Mar 22 2018
Correct, Chrome prompts before invocation of launching external handlers for Application Protocols. Mailto is a special case that does not trigger such a prompt.
,
Mar 22 2018
this can lead to the situation I mentioned above. Microsoft Edge and similar browsers has taken precautions about this issue
,
Mar 22 2018
By way of comparison: Firefox, Safari, and Internet Explorer also do not show prompts in this scenario. It's correct to note that Edge does show a "Switching apps" prompt; that is related to how code running in Windows 10 AppContainer sandboxes invokes protocols through the shell.
,
Mar 22 2018
This seems to be working-as-intended, but we can discuss further whether we may want to change this behavior in the future to align with other protocol handlers. Changing this to a feature request issue and dropping the security restriction. Also worth noting in regards to the "Attack Scenario": Anything a malicious page or advertisement could display in the Mail application they could also display in the tab they are currently running in.
,
Mar 23 2018
If you look at what they say, this feature should be removed for other application(question). Because what you're talking about is true for other applications. Please review the precautions Apple and Microsoft have taken in this regard. Please look for example (for Microsoft Edge) .If you open mail application with linklabel,Edge does not ask question to start the app. But when the site wants to start mail application automatically(iframe or similar method), Edge ask questions. Safari is no different than Edge. Chrome should be add like this question feature on Edge |
||
►
Sign in to add a comment |
||
Comment 1 by elawrence@chromium.org
, Mar 21 2018Summary: mailto links open mail application without prompt (was: Google Chrome Authorization Bypass)