`brave://` schema urls cannot be opened from NTP

[aseren]

Description

The issue is actual for Sponsored Images with brave:// schema destination url. When clicked it gives an error: [ERROR:CONSOLE(0)] "Not allowed to load local resource: brave://rewards/", source: chrome://newtab/ (0)

The similar issue happens with Brave News Ad with brave:// schema target url. When clicked it gives an error: [CONSOLE(2226)] "Not allowed to load local resource: brave://wallet/", source: chrome://newtab/brave_new_tab.bundle.js (2226)

Loading of brave schema from javascript was disabled here: https://github.com/brave/brave-core/pull/1196

[diracdeltas]

this was done for security reasons and needs security review from @bridiver

[bridiver]

why do we have any sponsored images or brave news articles that link to brave:// urls?

[bridiver]

in any case we should definitely not remove these restrictions or undo anything in the original PR as it was intended to make brave:// behave the same as chrome://. I think this is particularly problematic for brave news because it could allow other feeds to open brave:// urls.

[aseren]

Sponsored images for Brave features, such as the Brave wallet, can link to built-in pages. We currently use the chrome:// schema for these URLs, and they work correctly.

Based on the provided information, we will not switch to the brave:// schema. Therefore, the current issue can be closed. Thank you!

[bridiver]

I believe there is a per-webui way to enable this, but it seems too risky for brave news and possibly for sponsored images as well because it's all part of the NTP. Please keep in mind that any workaround to open a brave:// page would require a security review.

[bridiver]

Possibly if we moved brave news into an iframe we could allow only the top level webui to open brave:// links, but not sure