in webxdc, allow to open dialog on clicking https: etc. #2924
Description
currently, when clicking an https:, geo:, etc. links in an webxdc, nothing happens.
however, this is too strict and eliminates a lot of legitimate usecases, as having an "about" page, a "donate" link - user-entered links in an editor or spreadsheet.
there are lots of ideas around about whitelisting links somehow or even checking the code, after lots of internal discussion, however, it seems fine to show an dialog as
Do you want to open this link?
https://this-is-some-link/?skdhfkh+foo+bar
[ Cancel ] [ Copy ] [ Open ]
when targeting this issue,
- add the dialog on opening https: links - show the raw ASCII domains, and not some unicode representation 1
- whitelist protocols we want to support (for the whitelist check add URL schemes whitelist deltachat-android#4066)
- make sure, the links cannot be opened silently without the dialog being shown
you can use https://github.com/webxdc/webxdc-test is links section for testing, it includes punycode links
counterparts:
deltachat/deltachat-android#4054
deltachat/deltachat-desktop#5785
Footnotes
-
showing plain ascii is needed to avoid homograph attack - eg. the "а" in
wikipediа.orgis not an ASCII-athis kind of stuff is used to trick users. by showing raw ASCII punycode, this is discoverable,wikipediа.orgwould be shown asxn--wikipedi-86g.org↩