From: Max Nikulin <manikulin@gmail.com>
To: emacs-orgmode@gnu.org
Subject: Re: Firefox permission dialog and org-protocol
Date: Mon, 30 Jan 2023 12:48:31 +0700 [thread overview]
Message-ID: <tr7lnh$10jr$1@ciao.gmane.io> (raw)
In-Reply-To: <87pmaxe9fk.fsf@localhost>
On 29/01/2023 20:50, Ihor Radchenko wrote:
> Max Nikulin writes:
>> On 26/01/2023 01:01, Ihor Radchenko wrote:
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1678994
>>
>> Bug 1678994 "website permission to open special links in external
>> applications not configurable"
...
> It appears to be a newer version of Firefox.
> I originally got to know about the problem from
> https://old.reddit.com/r/emacs/comments/10jr2up/orgprotocol_permissions_on_firefox/
Likely the person uses a bookmarklet to initiate capture. This case
JavaScript snippet is executed in the context of the current web site,
so it is necessary to confirm permission for each site. I would
recommend to install an add-on for org-protocol instead. It would be
enough to confirm once that *this extension* is allowed to launch
external application through a custom scheme URI.
An additional advantage is that if some site were had a malicious
org-protocol link hidden by some attractive description then browser
would ask user even if some pages on the same site were captured earlier.
I faced a similar issue 3 years ago when "always allow" checkbox just
disappeared from chromium popup.
The popup with permission request appeared because some version of zoom
allowed unsolicited video call. They decided that a dialog in the app
before switching on camera would be annoying to users. Users already
confirmed their intention in the Safari dialog. So other browser had to
add this popup as well. The intention is to avoid joining a video call
accidentally while being naked.
https://infosecwriteups.com/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5?gi=2ed4ab044837
Jonathan Leitschuh. Zoom Zero Day: 4+ Million Webcams & maybe an RCE?
Just get them to visit your website! 2019-07-08
To summarize, I believe that a browser extension is a safer way to use
org-protocol. With a native messaging helper application it is even
possible to avoid desktop-wide org-protocol configuration and to call
emacsclient directly by the add-on but not through links on non-trusted
web sites.
P.S. Actually launching an application from an add-on is not really
reliable as well. The following issue has links to some other bugs. Not
to mention that external scheme URI is a shoot and forget approach with
hardly possible error detection. (A native host application may check
emacsclient exit code.)
https://bugzilla.mozilla.org/show_bug.cgi?id=1745931
External scheme handler configured to "Always ask" can not be launched
from add-on background page.
next prev parent reply other threads:[~2023-01-30 5:49 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <draft-87r0vhxg15.fsf@tosh-laptop.mail-host-address-is-not-set>
2023-01-21 21:32 ` Link from orgmode file to E-Mail (using kmail or notmuch) AW
2023-01-21 22:43 ` Gautier Ponsinet
2023-01-22 4:44 ` Max Nikulin
2023-01-22 8:32 ` Ihor Radchenko
2023-01-22 9:38 ` Jean Louis
2023-01-22 10:36 ` Max Nikulin
2023-01-22 18:47 ` AW
2023-01-23 6:19 ` Jean Louis
2023-01-23 10:40 ` Ihor Radchenko
2023-01-23 13:55 ` AW
2023-01-23 18:28 ` Jean Louis
2023-01-24 9:40 ` Ihor Radchenko
2023-01-24 10:42 ` Dirk-Jan C. Binnema
2023-01-24 11:17 ` Ihor Radchenko
2023-01-24 17:08 ` Dirk-Jan C. Binnema
2023-01-24 19:12 ` Jean Louis
2023-01-26 10:01 ` AW
2023-01-24 19:01 ` Jean Louis
2023-01-28 14:08 ` [OT] email opens (was: Link from orgmode file to E-Mail (using kmail or notmuch)) Gregor Zattler
2023-01-28 18:26 ` tomas
2023-01-29 4:37 ` Jean Louis
2023-01-26 9:58 ` Link from orgmode file to E-Mail (using kmail or notmuch) AW
2023-01-26 10:16 ` Ihor Radchenko
2023-01-26 11:43 ` Max Nikulin
2023-01-26 12:18 ` Jean Louis
2023-01-26 18:41 ` AW
2023-01-23 11:46 ` Max Nikulin
2023-01-23 13:59 ` AW
2023-01-23 14:20 ` AW
2023-01-24 9:44 ` Ihor Radchenko
2023-01-24 16:11 ` Max Nikulin
2023-01-24 17:32 ` Bruno Barbier
2023-01-25 12:48 ` Max Nikulin
2023-01-28 2:36 ` Max Nikulin
2023-01-28 8:30 ` Bruno Barbier
2023-01-28 8:30 ` Max Nikulin
2023-01-31 19:56 ` PATCH for worg about cb_thunderlink (Re: Link from orgmode file to E-Mail (using kmail or notmuch)) Bruno Barbier
2023-02-01 16:18 ` Max Nikulin
2023-02-01 18:16 ` Bruno Barbier
2023-02-02 14:47 ` Max Nikulin
2023-02-02 6:04 ` Bruno Barbier
2023-02-03 14:50 ` Max Nikulin
2023-02-03 15:42 ` Bruno Barbier
2023-02-04 4:59 ` Max Nikulin
2023-02-06 11:46 ` Bruno Barbier
2023-02-07 15:08 ` [PATCH] worg/org-faq.org: Recommend cb_thunderlink Thunderbird add-on Max Nikulin
2023-02-07 18:26 ` Bruno Barbier
2023-02-08 15:45 ` Max Nikulin
2023-01-23 18:37 ` Link from orgmode file to E-Mail (using kmail or notmuch) Jean Louis
2023-01-24 17:22 ` Max Nikulin
2023-01-24 17:49 ` Jean Louis
2023-01-25 15:31 ` Max Nikulin
2023-01-25 16:48 ` This is out of thread subject Jean Louis
2023-01-25 18:01 ` Ihor Radchenko
2023-01-26 6:28 ` Jean Louis
2023-01-27 11:23 ` Ihor Radchenko
2023-01-27 11:51 ` Firefox permission dialog and org-protocol Max Nikulin
2023-01-29 13:50 ` Ihor Radchenko
2023-01-30 5:48 ` Max Nikulin [this message]
2023-01-30 14:59 ` [BUG] org-manual: Using bookmarklet for org-capture is no longer reliable (was: Firefox permission dialog and org-protocol) Ihor Radchenko
2023-01-31 8:11 ` [BUG] org-manual: Using bookmarklet for org-capture is no longer reliable Charles Philip Chan
2023-01-31 12:20 ` Max Nikulin
2023-02-01 13:38 ` Ihor Radchenko
2023-02-02 14:09 ` Max Nikulin
2023-02-02 14:17 ` Ihor Radchenko
2023-02-02 15:02 ` Max Nikulin
2023-02-05 7:43 ` Max Nikulin
2023-02-05 10:26 ` Ihor Radchenko
2023-01-31 1:59 ` Firefox permission dialog and org-protocol Samuel Wales
2023-01-26 16:19 ` Link from orgmode file to E-Mail (using kmail or notmuch) Max Nikulin
2023-01-27 6:41 ` Jean Louis
2023-01-27 15:19 ` Max Nikulin
2023-01-29 4:18 ` Jean Louis
2023-01-29 8:41 ` Ihor Radchenko
2023-01-24 17:39 ` Bruno Barbier
2023-01-24 17:52 ` Jean Louis
2023-01-25 12:56 ` [FR] Should Org provide commonly used link types? (was: Link from orgmode file to E-Mail (using kmail or notmuch)) Ihor Radchenko
2023-01-25 16:40 ` Should Org provide commonly used link types? Jean Louis
2023-01-25 18:15 ` Ihor Radchenko
2023-01-26 5:09 ` Jean Louis
2023-01-26 6:11 ` Jean Louis
2023-04-26 18:18 ` jawatech
2023-01-24 9:42 ` Link from orgmode file to E-Mail (using kmail or notmuch) Ihor Radchenko
2023-01-24 15:49 ` Max Nikulin
2023-01-24 18:14 ` Jean Louis
2023-01-24 18:03 ` Jean Louis
2023-01-22 7:29 ` Jean Louis
2023-01-27 18:15 ` Bruno Barbier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='tr7lnh$10jr$1@ciao.gmane.io' \
--to=manikulin@gmail.com \
--cc=emacs-orgmode@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).