Hello Mingi Jung,

Thank you for your report and handling of this issue.

On Mon, Jun 23, 2025 at 08:59:46PM +0900, grape mingijung wrote:
> During discussions with several Linux distro security teams, the following
> suggestions were raised:
> 
>    1. Introduce an "untrusted" mode or flag in browser CLI tools for
>    opening external URLs
>    2. Extend xdg-open to support passing this "untrusted" flag or context
>    to the browser
>    3. Modify desktop environments or applications to invoke xdg-open with
>    the "untrusted" option when appropriate
> 
> In summary, it was suggested that the *browser should be updated first*,
> followed by gradual support at the xdg-open and system levels.
> 
> Accordingly, the issue has been forwarded to *browser vendors*, who are
> currently reviewing it and exploring potential fixes.

What about having browser CLI tools instead treat URLs as untrusted by
default?  So in step 1, a "trusted" mode or flag could be introduced (if
needed for something else), and steps 2 and 3 would be unneeded.  Would
this cause too much breakage?  What is expected to break?

Alexander

Reply via email to