Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any Protocol other than http not working - their content is sent to default search engine (Eg: ftp://ipaddr, blob:somebloburl, javascript:somecode This all goes to search engine #41734

Closed
tathastu871 opened this issue Oct 19, 2024 · 10 comments
Closed

Any Protocol other than http not working - their content is sent to default search engine (Eg: ftp://ipaddr, blob:somebloburl, javascript:somecode This all goes to search engine #41734

tathastu871 opened this issue Oct 19, 2024 · 10 comments
Labels
closed/not-actionable needs-investigation A bug not 100% confirmed/fixed OS/Android Fixes related to Android browser functionality repros-on-chrome

Comments

@tathastu871
Copy link

No description provided.

@bsclifton bsclifton changed the title WORST BROWSER EVER: NOW IT DOESNT ALLOW TO RUN BOOKMARKLETS FROM SEARCH BAR ON ANDROID EVERY INPUT EVEN THOSE STRTING WITH javascript: GOES THROUGH SEARCH ENGINE Bookmarklets not working - input sent to search Oct 23, 2024
@bsclifton bsclifton added OS/Android Fixes related to Android browser functionality needs-investigation A bug not 100% confirmed/fixed labels Oct 23, 2024
@bsclifton
Copy link
Member

cc: @deeppandya @SergeyZhukovsky

@bsclifton bsclifton changed the title Bookmarklets not working - input sent to search Bookmarklets not working - their content is sent to default search engine Oct 23, 2024
@tathastu871 tathastu871 changed the title Bookmarklets not working - their content is sent to default search engine Any Protocol other than http not working - their content is sent to default search engine (Eg: ftp://ipaddr, blob:somebloburl, javascript:somecode This all goes to search engine Oct 24, 2024
@tathastu871
Copy link
Author

tathastu871 commented Oct 24, 2024
edited
Loading

cc: @deeppandya @SergeyZhukovsky

Even ftp sites and blob urls generated via javascript are going through engine

Try searching ftp://xxx.xxx.xx.x:443 it goes through google search

Any Explicitly defined protocol by user

regex of search query
^(ftp|http|ftps|https|javascript|blob):.*
Must not go through search engine

CURRENT WORKAROUND STORE IN BOOKMARKS THEN ACCESS

ALSO FTP SITES CANNOT BE OPENED WHY IT POPUP INTENT INTERCEPT AND FAILS

@deeppandya
Copy link

CC @fmarier what do you think of the issue in terms of security concerns ?

@fmarier
Copy link
Member

fmarier commented Oct 30, 2024

I believe that javascript: is banned from direct navigations (with the exception of bookmarks) on purpose because it has caused lost of issues in the past. I imagine blob: URLs are blocked for similar reasons, but I also don't see how they could even make sense typed directly in the URL bar.

ftp is not supported by Chromium anymore and so it's not a recognized protocol and is expected to have the same behavior as trying to navigate to gopher://example.com (also not supported).

@tathastu871
Copy link
Author

cors will already prevent malicious javascript urls being ran on location.href
atleast user needs to run bookmarklets,
Brave doesnt have devtools or extension where user can do web testing
bookmarklets are only option

@tathastu871
Copy link
Author

#18671
Just give a thought

@tathastu871
Copy link
Author

What the hell man cannot run bookmarklets cannot export bookmarks
sucks

@fmarier
Copy link
Member

fmarier commented Jan 7, 2025

What the hell man cannot run bookmarklets

Works for me:
Image

cannot export bookmarks

Open brave://bookmarks/ and then use the export option here:
Image

@bsclifton
Copy link
Member

Hi folks - I'm going to go ahead and close this issue. It's a bit all over the place as-is (are we asking for specific protocols to be allowed-listed?)

If there's a specific problem (something that can not be done), let's create a new issue for that specific problem. Capturing clearly what happens and what is expected. And we can go from there. Thanks!

@tathastu871
Copy link
Author

Using window.open() to open javascript blob protocols be banned is good for security purposes
But at least not when user manually type

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed/not-actionable needs-investigation A bug not 100% confirmed/fixed OS/Android Fixes related to Android browser functionality repros-on-chrome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fmarier @bsclifton @deeppandya @tathastu871