A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

Detect external url handler

cor3ntin
2015-10-14

Currently, browsers allow to launch external applications by following urls for which the browser or the system know how to handle the scheme. mailto: is a classical example.

This mechanism is a simple way to launch external application (or an extension, etc). Most browsers require the user to confirm the execution of such action.

However, there is no standard way, and often, no way at all to detect beforehand that an handler is registered for a given protocol scheme. There is also no proper way to handler failure case

Therefore, I would like to discuss adding an api that would allow to query whether a particular protocol scheme has a known registered handler.

it could be added to the navigator object:

navigator.isProtocolHandlerRegistered("foo")

This metthod would complement the already existing

navigator.registerProtocolHandler()

I don’t think there in a need to return all available protocols, so a method that test whether a single protocol is sufficient. There is also no need to know what application manage a given handler and whether this handler is a web application or a native application

Security concerns:

This method could probably be used to query whether a given application is installed, but I don’t think that it would be a real concern as exposed application can probably detected anyway.

This method should not request a user permission, but the actual url opening still should.

ahopebailie
2015-10-14

Besides this security vulnerability this is also a privacy violation. I don’t think this proposal will get beyond this hurdle I’m afraid.

cor3ntin
2015-10-14

Currently, applications that want to offer the abilities to be launch from the browser use all kind of nastiness like plugins, which is probably a bigger security risk.

The security & privacy concerns can probably be resolved with global settings (rather than per site settings). Or maybe a per site setting would be acceptable if treated as the gps location is,in a not to intrusive fashion.

This feature would enable a lot of synergies for applications like app store (steam for example). Spotify/itunes also have/had some similar workflow through native plugin.

So while I agree the security/privacy concern are of importancen they should not close the discussion completely. You can find numerous content on the web asking how to do exactly this.

Moreover mailto: is widely deployed and usually works because a client mail is often available, but in the case no mail client is install the UX is currently quite bad