Showing results for 
Show  only  | Search instead for 
Did you mean: 
New member
Status: New idea

In Firefox mobile, would it be possible to add a new site permission to allow/block deep links per site? With such site permission, when a Website tries to open up a deep link, Firefox would ask: Allow / Allow once / Block. Granted permission could be managed in Firefox settings, like the other existing site permissions.

Reason behind, a compromised Website (e.g., Bluetooth which is still compromised at the time of writing *) might trigger double redirection and the second redirection could make use of a deep link to switch from Firefox app to any other app (e.g., in current case, it tries some times, based on the context, to switch to Google Chrome app).

* Malicious code that can be found, at least, where the code starts with: ontouchstart='eval(String.fromCharCode(... and further: onmouseenter=\"eval(String.fromCharCode(...

Status changed to: New idea
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

New member

On one hand, intent-based URI easily allow users to proceed with the right app for a given action. For example, a Website could provide a button telling the browser to open up the phone app to dial in one click the right phone number. On the other hand, intent-based URI can be used for malicious purpose for which the extend doesn't seem yet to be fully-known.

A concern with intent-based URI is that they can be triggered with very minimum user interaction. Based on what was happening on the Website previously mentioned, here would be an example of code sufficient to open up this page in another app:

<html lang="en-US">
  <meta charset="UTF-8">
  <meta http-equiv="refresh" content="0; intent://;scheme=https;;end">
  <script type="text/javascript">
   window.location.href = "intent://;scheme=https;;end"

In the case previously mentioned, the intent was given in the response header of one of the requests. But this short example is sufficient, and should be easy to understand and to try out.

In Chrome browser, only actions that are marked with the category android.intent.category.BROWSABLE can be used (see: ). Hopefully, Firefox follows the same behavior, but a quick search on Internet didn't return results that could confirm it for sure. However, this quick search shown that other people have already wonder about the extend of exploitability of intents (see: ).