[Desktop-packages] [Bug 1963861] Re: Can't tell what application will be launched with custom schemes
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: snapd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1963861 Title: Can't tell what application will be launched with custom schemes Status in snapd: New Status in firefox package in Ubuntu: Incomplete Status in snapd package in Ubuntu: Confirmed Bug description: If a url is opened such as: mailto: feed: The firefox snap package no longer shows what application will be launched. This means that websites can potentially trick a user to start applications. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1963861/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1963861] Re: Can't tell what application will be launched with custom schemes
I'm seeing this dialog when clicking a mailto: link in the firefox snap (see attached screenshot). Are you seeing something different? What's the value associated to the mailto scheme in about:preferences (under the "Applications" section)? ** Changed in: firefox (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1963861 Title: Can't tell what application will be launched with custom schemes Status in snapd: New Status in firefox package in Ubuntu: Incomplete Status in snapd package in Ubuntu: New Bug description: If a url is opened such as: mailto: feed: The firefox snap package no longer shows what application will be launched. This means that websites can potentially trick a user to start applications. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1963861/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1963861] Re: Can't tell what application will be launched with custom schemes
While I don't have an immediate exploit, attackers tricking a user to start applications does feel like in should be classified as a security bug. I've _never_ gotten asked what application to start for a given uri scheme. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1963861 Title: Can't tell what application will be launched with custom schemes Status in snapd: New Status in firefox package in Ubuntu: New Status in snapd package in Ubuntu: New Bug description: If a url is opened such as: mailto: feed: The firefox snap package no longer shows what application will be launched. This means that websites can potentially trick a user to start applications. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1963861/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1963861] Re: Can't tell what application will be launched with custom schemes
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1963861 Title: Can't tell what application will be launched with custom schemes Status in snapd: New Status in firefox package in Ubuntu: New Status in snapd package in Ubuntu: New Bug description: If a url is opened such as: mailto: feed: The firefox snap package no longer shows what application will be launched. This means that websites can potentially trick a user to start applications. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1963861/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1963861] Re: Can't tell what application will be launched with custom schemes
@alexmurray that code has never listed or show which application would handle given URL scheme. The change affected the implementation of io.snapcraft.Launcher, which is only called as a fallback when a snap calls xdg-open inside it's namespace. The primary handler that is tried goes through the desktop portal https://flatpak.github.io/xdg-desktop- portal/#gdbus-org.freedesktop.portal.OpenURI which AFAIU prompts to select an application for some number of attempts, which then goes away if the user chose consistently chose the same application each time. So if the prompt was originally shows, but now it's not, my guess would be that it's the portal. The fallback code would open an application for which there is a desktop handler registered in the mime db. Perhaps we could improve that to show a prompt? Anyways, this code isn't part of any stable release yet. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1963861 Title: Can't tell what application will be launched with custom schemes Status in snapd: New Status in firefox package in Ubuntu: New Status in snapd package in Ubuntu: New Bug description: If a url is opened such as: mailto: feed: The firefox snap package no longer shows what application will be launched. This means that websites can potentially trick a user to start applications. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1963861/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1963861] Re: Can't tell what application will be launched with custom schemes
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1963861 Title: Can't tell what application will be launched with custom schemes Status in snapd: New Status in firefox package in Ubuntu: New Status in snapd package in Ubuntu: New Bug description: If a url is opened such as: mailto: feed: The firefox snap package no longer shows what application will be launched. This means that websites can potentially trick a user to start applications. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1963861/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp