It seems that the generally accepted approach to launch a URL is to call Process.Start, e.g.
var url = new Uri(uriString);
Process.Start(url.AbsoluteUri);
e.g. this was suggested here.
The problem with that is that if the URL is untrusted, bad things can happen. e.g. if the string is @"c:\windows\system32\notepad.exe", the code above will launch notepad with no questions asked.
OTOH, if you try to launch a local executable like this in the browser, you get plenty of security checks before it happens.
So the question is: how can this be done safely programmatically in a clean way (in C#)?
Not-so-clean techniques we have considered:
- look at the Uri protocol, and block anything that's not http/https. This is hacky.
- find the registered browser via some reg key, and launch it with the Uri on the cmd line. This type of code tends to be messy and unreliable with some browsers.
So I'm hoping for a technique that would be like a LaunchUrlThroughBrowser(url).