Open mariomadproductions opened 2 years ago
The challenge here is that there's no way to tell the difference between an app opening a browser link just because it feels like it and an app opening a browser link because a user clicked a button in the app that should open a webpage
That's a good point. I guess a prompt asking the user if they want to open it or not would work.
I've transferred this from Flatpak to xdg-desktop-portal, because if there was any sort of prompt, it would be implemented in xdg-desktop-portal and not in Flatpak. When an app inside the sandbox opens a URL, that's implemented by sending it out to the host system through xdg-desktop-portal's OpenURI
interface.
https://github.com/flatpak/xdg-desktop-portal/issues/708#issuecomment-1035198636
@mariomadproductions, it shouldn't be the default, however. I can think of almost no people I know of who would be content with agreeing to view a URI every time one is invoked, myself included.
@mariomadproductions, it shouldn't be the default, however. I can think of almost no people I know of who would be content with agreeing to view a URI every time one is invoked, myself included.
Yeah probably shouldn't happen every time unless the user asks for that. One way could be to have a "don't ask again for this program" checkbox in the Yes/No pop-up (in addition to something changeable in the settings).
Checklist
Suggestion
Some programs (e.g. Discord) open your browser to a special URL in order to get your discord login info from the browser session. This is not a major privacy/security risk as this presumably requires the discord server to "cooperate", but it does seem wrong that an app can open arbitrary URLs without user permission (discord does this on startup without asking). I think it would be a good idea if this could be prevented somehow, using the flatpak per-app restrictions that users enable.