tags:

views:

168

answers:

1
Q: 

Url protocol handler security warnings

I have a custom url protocol handler for urls of the form myhandler://path/to/something. This is registered to a locally installed client application that handles the requests and does "the right thing".

However, when I have a link of that form in outlook (2007), outlook displays a big scary warning that says:

Microsoft office has identified a potential security concern This location may be unsafe ... Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources.

Do you want to continue?

I am aware of the outlook registry key that would enable me to disable these warnings entirely (http://support.microsoft.com/?kbid=925757), but I don't want to be a "bad citizen" on the machine.

Is there some way that I can "whitelist" my url protocol handler to indicate that I have done due security diligence without opening up access to other URL protocol handlers on the machine that might not be hardened to malicious user input?

Outlook does not prompt for URLs of the form http: https: mailto: (and perhaps others). Is this list hardcoded somewhere deep in the bowels of office or is there some way to add my specific protocol to the list?

A: 

Since you've got things squared for when the url is opened in a browser (but not Outlook), my work-around suggestion is:

Give people what they expect, a regular http url. Then have your server re-direct to the special url with the special handler. Or give them a file url and have the contents of the file be a Javascript re-direct to the real place.

I believe Apple does something similar in its references to iTunes-handled links such as http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=80028216

Added, this technique also enables you to show a splash page in the browser with instructions on what to do if your software has not been installed/configured yet on the local machine.

Larry K  2010-02-11 16:27:35
I like the idea, but one of my requirements is to be able to operate when not connected to a network (the offline scenario).
StarBright  2010-02-11 18:26:57
Re: offline: use the file:// handler to load a local html file with javascript in it to redirect to your custom handler
Larry K  2010-02-11 22:37:41

related questions

Formatted output in OOffice/Word with python
OpenXml Sdk
How to detect that for current locale if MUI pack of Office is installed or not from C#
Office 2002 - VBA Application Migration to Office 2007
Spreadsheet generation - server side
How to edit DsoFramer 1.3?
Office Open XML (OOXML) Specification: Encryption
How would you convert any document to a preview image?
How to hide Thinking at Work so that the Non-Programmers don't suspect Slacking?
programmer productivity studies, team room versus private offices?
WPF control for viewing Office Documents
dsolefile - error handling when value does not exist (in excel)
High End Monitors (LaCie/EIZO/NEC) worth it for daily development?
Should developers *really* have private offices?
Where can I find a geeky mug in the UK?
How do you organize desk allocation?
Must haves for developers office
Home Office Programming requirements?
Good file management software
What is your demand for a working software development environment?
Create a new Word Document using VSTO
Home Office Programming Setup (Post pictures if possible)
Osmotic communication -vs- closed-off offices?
What fun things do you do to release stress at the office?
Chairs and Small Spaces