Re: xdg-open bypassing SameSite=Strict

[Anton Luka Šijanec <anton () sijanec eu>]

Hi!

Simon McVittie je 24. 6. 25 ob 11:43 napisal:
> How does this work on other platforms like Windows and macOS? On 
> Windows, the implementation details are different, but the general 
> "shape" of the API seems like it's the same: the URL handler registers 
> itself with the system by saying "I can handle http URLs" and storing a 
> command-line with some placeholders (on Windows I think this is done via 
> the registry), the caller (e.g. email client) passes the URL to an API 
> function like ShellExecute() or a command-line tool like `start`, and OS 
> libraries are responsible for figuring out which URL handler is the 
> correct one and launching it with suitable options. On Windows, does the 
> URL handler (e.g. browser) treat the URLs it receives from the OS as 
> though they had been typed into the address bar, or as though a link had 
> been followed?

I tested if the same behavior is also present on Windows for reference 
and it is. Tested with Firefox 138.0.1 (64-bit) and Edge 129.0.2792.52 
on Windows 11 Home 23H2.

I opened WordPad with the document https://ass.si/f/nosmr.rtf and 
clicked the first link to set the samesite cookie, then closed the 
browser, then clicked the second link and the cookie was sent, despite 
SameSite being set to strict. Then I changed the default browser and the 
same behavior was present.

The cookie was correctly not sent to the server when navigating via an 
<a> tag from a different domain in both browsers.

Regards
Anton