Opened 5 years ago

Closed 5 years ago

Last modified 15 months ago

#13618 closed defect (fixed)

Handling links in the chat window

Reported by: sukhbir Owned by:
Priority: Medium Milestone:
Component: Archived/Tor Messenger Version:
Severity: Keywords:
Cc: arlolra Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


What happens when a user clicks on a link in the chat window? Do we just intercept the click and do nothing? Do we open it in the default browser (dangerous)? Or do we open it in Tor Browser if it is running?

I think we can go with this option for now: "If someone sends you a link, where will it open? Again, to start, it won't at all and you'll be forced to manually paste it into the browser of your choice."

Further discussions are welcome.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by sukhbir

Resolution: fixed
Status: newclosed

We are now removing the formatting of URLs -- users will have to manually copy the links and open them; simply clicking on them will not work. This will prevent users from clicking on links and opening them in the default browser (which may de-anonymize them).

(As stated in the ticket, further discussions are welcome.)

comment:2 Changed 5 years ago by arlolra

Something to keep in mind here, from gk's audit,

I noticed the disable-links.patch locks the restrictive mode even more down by not rendering links at all. This is important not for the reasons mentioned in the respective trac ticket but to avoid proxy bypasses. It turns out that it is already enough to drag a link on some platforms to bypass proxy settings of an application. See: for details. One thing you could do, if you want to allow the drawing of links later on, is to write extension code that intercepts this dragging and makes sure it is not dangerous anymore. Torbutton is doing that right now.

Also, see Ricochet's UI for opening/copying links.

comment:3 Changed 15 months ago by traumschule

<+sukhe> hello. yes, I think it's fine to close the tickets. thanks for doing what we should done earlier :)

sad but true:

luckily there are alternatives:

.. and maybe someday

Note: See TracTickets for help on using tickets.