I’d like to be able to insert
<meta protocol="web+ganarchy" default="https://ganarchy.autistic.space/?url=%s" /> into my website so that all my web+ganarchy links get handled by my own website if the user hasn’t setup their own protocol handler for web+ganarchy links.
Note that it specifically doesn’t include a name. This isn’t registering (or attempting to register) a protocol handler, it’s just a fallback.
I run https://ganarchy.autistic.space/, so this would be very useful for me.
The web already provides this kind of functionality. It is achieved with the Navigator.registerProtocolHandler method.
That’s not what this is about.
Here’s my problem:
- you’re the user. go to https://ganarchy.autistic.space/project/385e734a52e13949a7a5c71827f6de920dbfea43/
- click the first link (looks like “385e734a52e13949a7a5c71827f6de920dbfea43”)
- tell me where it goes
- go back to the page in 1
- click “Register web+ganarchy: URI handler”, and follow the steps it gives you.
- click the first link again
- this time it goes to the web+ganarchy: handler you just set up
The problem is that 3rd step. I’d like the 2nd step to have the same result as the 6th step IN CASE THE USER DOESN’T HAVE ANY HANDLERS CONFIGURED. (I can’t stress this enough, it’s strictly a fallback, not an override, and it also doesn’t register anything. it’s similar to base urls, really. y’know, this thing. except nobody uses that one.)
Sites should not be able to configure things like this in the background for users. There is a reason it requires a user gesture and is handled in the browser’s settings at that point. To protect from phishing/hijacking attacks.
Sites can already just
<a href="https://example.org/?url=foobar"> so I mean… no attack here?
- parse the URL as with
- if no base, set base to the current document.location’s base.
- if the document has a base tag, use that as base.
- if the protocol is a browser protocol (http, https, etc) navigate normally with the browser
- if it’s not a browser protocol, i.e. it’s a protocol handler, use the user’s registered protocol handlers, if any
- if the user doesn’t have a protocol handler for the protocol, look for the meta tag for it, and, if any, use it
- still unhandled? then show an error message.
I’m just adding step 6 to it. everything else is the current behaviour. no exploits here.
maybe I should ask for an API that tells the website which handlers the user has registered, which can be exploited for all sorts of ad-network tracking purposes, tho.
What is the use-case for this request? An internal site that only links inwards using a custom protocol handler?
while I will also use it in-site, I actually need it to use my protocol on other sites. it’s primarily meant for cross-origin requests but can also be used for same-origin requests as with any cross-origin feature.
another use-case is e.g. you have your website at https://your.website.example.org/whoiam.html and you wanna link your mastodon using web+mastodon so it can be handled by the user’s instance, but you wanna provide a fallback so it goes to your instance. so you put a
<meta protocol="web+mastodon" default="https://your.mastodon.instance.example.org/?url=%s"> on your website.