A second round of release candidates have been released for Firefox 1.0PR, and one of the new features is “external protocol handler whitelisting”. What this means is that if Firefox doesn’t recognise the protocol being used in a request, it’ll consult a list of ‘safe’ protocols that it can then pass to external applications. If the protocol is not on the list, it will now pop up a dialog box, asking the user whether they want to launch the external application. Here’s a screenshot of that dialog.
This is partly in answer to a problem with the shell: protocol being used for exploiting a security flaw in Windows – now, if a web site tries to make you click on a link using that protocol, you’ll get a dialog.
There isn’t yet a UI for configuring what protocols should be enabled or not, but you can use about:config to edit the handlers or provide defaults if you’re rolling your own copy of Firefox (for example if your enterprise has an intranet system which relies on the shell: protocol working). You need to add a pref called ‘network.protocol-handler.external.[protocol]’ and set it to true to hide the dialog (false will show it) – replace [protocol] with the name of the protocol, for example ‘telnet’, ‘magnet’, ‘aim’, ‘feed’, ‘ed2k’ or whatever. By default, ‘mailto’ and ‘news’ are set to true, i.e. safe.
Other security fixes mean that popup windows will always have the status bar and address bar shown, so that the user knows what web site they’re browsing. And, when connected to secure sites, the status bar gives the domain of the secure site – so if you think you’re at Paypal but the status bar tells you that you’re using a secure connection at www.dodgysite.com, then you know that you’re at a fraud site.
And in case this is the only Mozilla weblog you read, Stylesheet Switching and Work Offline are back! The bugs that lead to their removal have been fixed so they’re now back in nightly builds and will make it into Firefox 1.0PR.