I’d like to be able to insert <meta protocol="web+ganarchy" default="https://ganarchy.autistic.space/?url=%s" /> into my website so that all my web+ganarchy links get handled by my own website if the user hasn’t setup their own protocol handler for web+ganarchy links.
Note that it specifically doesn’t include a name. This isn’t registering (or attempting to register) a protocol handler, it’s just a fallback.
click the first link (looks like “385e734a52e13949a7a5c71827f6de920dbfea43”)
tell me where it goes
go back to the page in 1
click “Register web+ganarchy: URI handler”, and follow the steps it gives you.
click the first link again
this time it goes to the web+ganarchy: handler you just set up
The problem is that 3rd step. I’d like the 2nd step to have the same result as the 6th step IN CASE THE USER DOESN’T HAVE ANY HANDLERS CONFIGURED. (I can’t stress this enough, it’s strictly a fallback, not an override, and it also doesn’t register anything. it’s similar to base urls, really. y’know, this thing. except nobody uses that one.)
Sites should not be able to configure things like this in the background for users. There is a reason it requires a user gesture and is handled in the browser’s settings at that point. To protect from phishing/hijacking attacks.
if no base, set base to the current document.location’s base.
if the document has a base tag, use that as base.
if the protocol is a browser protocol (http, https, etc) navigate normally with the browser
if it’s not a browser protocol, i.e. it’s a protocol handler, use the user’s registered protocol handlers, if any
if the user doesn’t have a protocol handler for the protocol, look for the meta tag for it, and, if any, use it
still unhandled? then show an error message.
I’m just adding step 6 to it. everything else is the current behaviour. no exploits here.
maybe I should ask for an API that tells the website which handlers the user has registered, which can be exploited for all sorts of ad-network tracking purposes, tho.
while I will also use it in-site, I actually need it to use my protocol on other sites. it’s primarily meant for cross-origin requests but can also be used for same-origin requests as with any cross-origin feature.
another use-case is e.g. you have your website at https://your.website.example.org/whoiam.html and you wanna link your mastodon using web+mastodon so it can be handled by the user’s instance, but you wanna provide a fallback so it goes to your instance. so you put a <meta protocol="web+mastodon" default="https://your.mastodon.instance.example.org/?url=%s"> on your website.