OpenURI portal w/o user granting permission

Philip Withnall philip at tecnocode.co.uk
Thu Jul 14 12:23:36 UTC 2016 

On Thu, 2016-07-14 at 12:07 +0200, Stephan Bergmann wrote:
> At least with a recent build of xdg-desktop-portal and 
> xdg-desktop-portal-gtk, sending an 
> org.freedesktop.portal.OpenURI.OpenURI request does not always
> involve 
> the user granting permission first:  For example, if the given uri 
> argument is in the form of a valid http URL, it is passed directly
> to 
> the browser to open it.  (Only if the argument is of some non-URL
> form a 
> "Select application" dialog comes up.)  Isn't that a privacy and 
> security issue?

How do you think it’s a privacy and security issue (and can you define
the ‘security’ in concrete terms of availability, confidentiality and
integrity)?

We discussed this at the recent GTK+ hackfest, and the conclusion was
that:
 • Popping up a confirmation dialogue (‘do you want to open this URI?’)
would be pointless: users cannot parse URIs, and it would be incredibly
annoying to click a link in an application and then have to click ‘yes’
in a confirmation dialogue.
 • Browsers are explicitly designed to handle untrusted URIs, in the
sense that if they end up loading a malicious page, the browser itself
shouldn’t get exploited.
 • There is an attack here where a compromised app could send your data
to a malicious website in a GET parameter without you being able to
stop it, but:
  - That requires the app to have permission to access the data in the
first place.
  - You’re going to notice if the app does this a lot, because your
browser will open each time.
  - It’s basically impossible to get rid of covert channels (like
this), so if an app isn’t leaking data through GET parameters, it will
find another way to leak data. The best we can do is restrict the
covert channels without impacting usability too much, and try to make
it obvious when an app //is// using covert channels to leak data.

Did you have another threat model in mind?

Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20160714/1036e623/attachment.sig>

More information about the xdg-app mailing list