oss-sec mailing list archives

Re: xdg-open bypassing SameSite=Strict

From: Lucas Holt <luke () foolishgames com>
Date: Tue, 24 Jun 2025 16:48:53 -0400


On 6/24/25 4:22 PM, Gabriel Corona wrote:

As was said by Solar Designer, if a "safe" version is needed,
it should probably be the default when going through URI scheme
registrations. This is because, as you said, this kind of issue
lies in the interaction between several components (URI sources,
URI sinks and URI go-betweens such as xdg-open) and it would
certainly be possible to find a way to bypass the behavior
otherwise.

I would think that all browsers should implement the safe behavior orURL handler registrations and allow the user (or enterprise) to adjustthe policy within settings. This would limit the issue for the vastmajority of users, but allow folks to turn on the old behavior untilapplications can be fixed. I suspect this could break some auth flowsthat rely on handlers right now within many apps. (game launchers,enterprise tools, etc)

I don't think the right place to handle this is xdg-open. Essentially,browsers are trusting unsafe input as is.



--
Lucas Holt
Luke () FoolishGames com
________________________________________________________
MidnightBSD.org (Free OS)
JustJournal.com (Free blogging)

Current thread:

xdg-open bypassing SameSite=Strict grape mingijung (Jun 23)
- Re: xdg-open bypassing SameSite=Strict Solar Designer (Jun 23)
  - Re: xdg-open bypassing SameSite=Strict grape mingijung (Jun 24)
- Re: xdg-open bypassing SameSite=Strict Simon McVittie (Jun 24)
  - Re: xdg-open bypassing SameSite=Strict Anton Luka Šijanec (Jun 24)
- Re: xdg-open bypassing SameSite=Strict Gabriel Corona (Jun 24)
  - Re: xdg-open bypassing SameSite=Strict Lucas Holt (Jun 24)