However, the fact that the "read:" protocol is a thing -- and the fact that it works the way it works -- is absolutely insane. Who in their right mind would think that's a good idea? Forget sandboxing, who's bright idea was it to let a web browser access local files willy-nilly? Mind-boggling.
The first thing I'd say if someone came to me with that idea is (a) no way and (b) if you really want to do it, you need a security mechanism like 300x stronger than CORS and probably a popup that lets the user know what's going on.
9/10 these "good intentioned" additions to browsers end up being used in exploits, and even if they aren't just being in one browser is rarely useful.
The "ms-windows-store:" protocol is documented. Some other fun things you can launch:
- ms-people: - Opens the contacts list program.
- ms-settings: - Opens the settings program. Microsoft encourages using this so that if your app wants, say, to access the microphone, and privacy settings won't permit it, it can force the privacy settings app open to apply pressure to the user to let the app use the microphone.
- ms-windows-store: - aim user at the Windows store for a specific item
- bingmaps:, ms-drive-to:, and ms-walk-to: - bring up the native map application
- ms-tonepicker: - mess with ringtone settings
There's no mention of "read:", though.
However, any installed app can install new protocol IDs, and web pages can then trigger that app. What could possibly go wrong?
And all your icons, still worked on top of it.
There is a lot of interesting stuff here to play with, and if we keep searching for protocols we will find tons of apps that open (including Candy Crush which I didn’t know it was on my PC).
The only thing in my mind when I read this was "Why!? I don't even..." What sort of thought process (or perhaps lack thereof) lead to this ridiculously absurd situation of protocol proliferation? Who needs a Calculator or Candy Crush protocol? What's worse is there doesn't seem to be an easy way of viewing or modifying the list of registered protocol handlers. Contrast this with earlier (Presto) versions of Opera, where the protocols are configurable from the UI:
.torrent files are also superseded by magnet URLs for public downloads
(Yes, I know it's not-IE-anymore-nooosir. What's in a name?)
I didn't see anything in the article about this but I may have just missed it.
But aside from that, this is a pretty big deal. MS Edge has been looking pretty good lately. It felt like they have been taking security more seriously, and the new AppGuard stuff looked interesting, but even that doesn't look like it would fix this as it looks like this is "working as intended" letting any link communicate outside the "web sandbox".
I was hoping Edge wouldn't go down the same path that IE did with "special" tie ins to the OS, but it seems they are still trying.
Any app on Android, iOS or Windows can register themselves as a handler for an URI scheme. There is nothing "special" about that. It's up to the app author to ensure this does not expose an attack surface.
At the same time, others were discovering similar vulnerabilities using other protocols. (I know the page looks like crap, so don't bother mentioning it.)
Forget the design, it's "web surfer" what gives the old page age away.
Joking aside, they've put more thought into the tel URL scheme, that allows you to start a phone call on iOS, by disallowing the use of * and # .