Neil Turner's Blog

Blogging about technology and randomness since 2002

External Protocol Whitelisting

A second round of release candidates have been released for Firefox 1.0PR, and one of the new features is “external protocol handler whitelisting”. What this means is that if Firefox doesn’t recognise the protocol being used in a request, it’ll consult a list of ‘safe’ protocols that it can then pass to external applications. If the protocol is not on the list, it will now pop up a dialog box, asking the user whether they want to launch the external application. Here’s a screenshot of that dialog.

This is partly in answer to a problem with the shell: protocol being used for exploiting a security flaw in Windows – now, if a web site tries to make you click on a link using that protocol, you’ll get a dialog.

There isn’t yet a UI for configuring what protocols should be enabled or not, but you can use about:config to edit the handlers or provide defaults if you’re rolling your own copy of Firefox (for example if your enterprise has an intranet system which relies on the shell: protocol working). You need to add a pref called ‘network.protocol-handler.external.[protocol]’ and set it to true to hide the dialog (false will show it) – replace [protocol] with the name of the protocol, for example ‘telnet’, ‘magnet’, ‘aim’, ‘feed’, ‘ed2k’ or whatever. By default, ‘mailto’ and ‘news’ are set to true, i.e. safe.

Other security fixes mean that popup windows will always have the status bar and address bar shown, so that the user knows what web site they’re browsing. And, when connected to secure sites, the status bar gives the domain of the secure site – so if you think you’re at Paypal but the status bar tells you that you’re using a secure connection at, then you know that you’re at a fraud site.
And in case this is the only Mozilla weblog you read, Stylesheet Switching and Work Offline are back! The bugs that lead to their removal have been fixed so they’re now back in nightly builds and will make it into Firefox 1.0PR.


  1. Firefox 1.0 PR Preview 2

    Asa announced another round of candidate builds. Go and grab it!
    We had to take one more important change into the builds last night, moving from a blacklist to a whitelist for external protocol handlers, so today’s builds are the new candidat…

  2. Amusing touch with the popups always showing the address bar: popups launched from bookmarklets have it, so Blogger’s own BlogThis gets the (sorry, but it is) ugly address bar, but my increasingly stale right-click BlogThis extension doesn’t, and still looks pretty 🙂
    Oh, rats. That means I have to finally update it, add some UI so you can specify URLs and parameters and be able to use it for MT, so I don’t have to see the address bar every time I want to post from a bookmarklet.

  3. Double rats. I was just enjoying the way the location bar in popups brought along the tabbar (so that the “View site” link in MT’s rebuild popup doesn’t just invisibly open in the back of the popup itself in Single Window mode), but I see by the advocacy comments in the bug that we’ll probably lose it again.