Security for launching from URL

Eben Eliason eben.eliason at
Mon Jul 7 12:52:18 EDT 2008

On Fri, Jul 4, 2008 at 6:42 PM, Ivan Krstić
<krstic at> wrote:
> That said, the URI handler approach should be used sparingly. It's one
> thing to allow starting an audio player by clicking an MP3 link in the
> browser, and another to arbitrarily execute code (e.g. through an
> execution environment such as Pippy or eToys) from a web page with a
> single click. While Bitfrost is designed to mitigate the side effects
> of arbitrary code execution, it's very unwise to make it trivial for
> the user to trigger such execution unknowingly.

I really don't see anything wrong with injecting a modal alert,
displayed by Sugar, into this process if we must.  Clicking on an mp3
in Browse would reveal this alert, and ask for confirmation that the
user wishes to open it.  It would, of course, offer a list of
activities which support its mime-type (assuming there are more than
one).  It could potentially include a way to set the default handler
as well, such that the next time it is revealed for the same mime-type
a different default is chosen.  I recognize that we try at all costs
to eliminate this form of dialog, but I also recognize that we might
not want to allow an activity to arbitrarily launch other activities
without the user's consent.

Alternatively (or additionally?), should this capability be a bitfrost

Finally: Ivan do you see security implications in a future
implementation of this approach which also allows the resulting
changes to an object launched in this manner from being passed back to
the invoking activity.  For instance, consider a Website activity
which you can import source images into, but allows you to select any
of those images and say "Edit with [Paint]", which then automatically
updates the image within the Website project as the Paint instance
gets saved.  I think this might be a nice alternative to true aliases,
which can be confusing for kids, while encouraging inter-activity
projects and development.

- Eben

> --
> Ivan Krstić <krstic at> |
> _______________________________________________
> Devel mailing list
> Devel at

More information about the Devel mailing list