[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Firefox permission dialog and org-protocol
From: |
Samuel Wales |
Subject: |
Re: Firefox permission dialog and org-protocol |
Date: |
Mon, 30 Jan 2023 18:59:32 -0700 |
unable to follow this but it sounds like a big deal and i am glad that
you are looking into it. thanks.
[my use case fwiw:
1] it is disruptive for me having org-capture not work [i do not alwys use kb].
2] x-wide capture using emacsclient would presumably not contain the
page title in firefox.
3] if automatic reliable confirmation if possible results as a side
effect of this work, great.
4] oh do i ever want advanced spookfox!
please ignore all of this just want to say thanks.]
On 1/29/23, Max Nikulin <manikulin@gmail.com> wrote:
> On 29/01/2023 20:50, Ihor Radchenko wrote:
>> Max Nikulin writes:
>>> On 26/01/2023 01:01, Ihor Radchenko wrote:
>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1678994
>>>
>>> Bug 1678994 "website permission to open special links in external
>>> applications not configurable"
> ...
>> It appears to be a newer version of Firefox.
>> I originally got to know about the problem from
>> https://old.reddit.com/r/emacs/comments/10jr2up/orgprotocol_permissions_on_firefox/
>
> Likely the person uses a bookmarklet to initiate capture. This case
> JavaScript snippet is executed in the context of the current web site,
> so it is necessary to confirm permission for each site. I would
> recommend to install an add-on for org-protocol instead. It would be
> enough to confirm once that *this extension* is allowed to launch
> external application through a custom scheme URI.
>
> An additional advantage is that if some site were had a malicious
> org-protocol link hidden by some attractive description then browser
> would ask user even if some pages on the same site were captured earlier.
>
> I faced a similar issue 3 years ago when "always allow" checkbox just
> disappeared from chromium popup.
>
> The popup with permission request appeared because some version of zoom
> allowed unsolicited video call. They decided that a dialog in the app
> before switching on camera would be annoying to users. Users already
> confirmed their intention in the Safari dialog. So other browser had to
> add this popup as well. The intention is to avoid joining a video call
> accidentally while being naked.
>
> https://infosecwriteups.com/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5?gi=2ed4ab044837
> Jonathan Leitschuh. Zoom Zero Day: 4+ Million Webcams & maybe an RCE?
> Just get them to visit your website! 2019-07-08
>
> To summarize, I believe that a browser extension is a safer way to use
> org-protocol. With a native messaging helper application it is even
> possible to avoid desktop-wide org-protocol configuration and to call
> emacsclient directly by the add-on but not through links on non-trusted
> web sites.
>
> P.S. Actually launching an application from an add-on is not really
> reliable as well. The following issue has links to some other bugs. Not
> to mention that external scheme URI is a shoot and forget approach with
> hardly possible error detection. (A native host application may check
> emacsclient exit code.)
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1745931
> External scheme handler configured to "Always ask" can not be launched
> from add-on background page.
>
>
>
>
>
--
The Kafka Pandemic
A blog about science, health, human rights, and misopathy:
https://thekafkapandemic.blogspot.com
- This is out of thread subject, (continued)
- Firefox permission dialog and org-protocol, Max Nikulin, 2023/01/27
- Re: Firefox permission dialog and org-protocol, Ihor Radchenko, 2023/01/29
- Re: Firefox permission dialog and org-protocol, Max Nikulin, 2023/01/30
- [BUG] org-manual: Using bookmarklet for org-capture is no longer reliable (was: Firefox permission dialog and org-protocol), Ihor Radchenko, 2023/01/30
- Re: [BUG] org-manual: Using bookmarklet for org-capture is no longer reliable, Charles Philip Chan, 2023/01/31
- Re: [BUG] org-manual: Using bookmarklet for org-capture is no longer reliable, Max Nikulin, 2023/01/31
- Re: Firefox permission dialog and org-protocol,
Samuel Wales <=
- Re: Link from orgmode file to E-Mail (using kmail or notmuch), Max Nikulin, 2023/01/26
- Re: Link from orgmode file to E-Mail (using kmail or notmuch), Jean Louis, 2023/01/27
- Re: Link from orgmode file to E-Mail (using kmail or notmuch), Max Nikulin, 2023/01/27
- Re: Link from orgmode file to E-Mail (using kmail or notmuch), Jean Louis, 2023/01/28
- Re: Link from orgmode file to E-Mail (using kmail or notmuch), Ihor Radchenko, 2023/01/29
- Re: Link from orgmode file to E-Mail (using kmail or notmuch), Bruno Barbier, 2023/01/24
- Re: Link from orgmode file to E-Mail (using kmail or notmuch), Jean Louis, 2023/01/24
- [FR] Should Org provide commonly used link types? (was: Link from orgmode file to E-Mail (using kmail or notmuch)), Ihor Radchenko, 2023/01/25
- Should Org provide commonly used link types?, Jean Louis, 2023/01/25
- Re: Should Org provide commonly used link types?, Ihor Radchenko, 2023/01/25