From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp2.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms13.migadu.com with LMTPS
	id YMzrLf4pcGc6QQEAe85BDQ:P1
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 28 Dec 2024 16:40:30 +0000
Received: from aspmx1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2.migadu.com with LMTPS
	id YMzrLf4pcGc6QQEAe85BDQ
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 28 Dec 2024 17:40:30 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=YBCiDW9c;
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org";
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1735404030;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=CilipKU0uEcjWRyYNOqO4flSlbeW43rKi8VY2WmhI+I=;
	b=dkOuMwA5ERktD6tBSalqlXQlzYW+/g0ioooYHJYU8cMyXNuX9i3jgHJt8bPCnrwA8d59IM
	oRYRyrQnZ7r4TwhPtgoBWMchXV9xsRBVh/CsYxowrLn7+ZplkEJC5eRP+2gHio25UdTMI1
	G3rB1KzYmFUmVSP4CHJnJi3PCJR313TtCxrTA2oZj7EbQCVDovTSOKSZMIMo+r8RNj2oWn
	QmOMqQXSIf9pkFi59CdPY5lHWxlDLVgcFnhYrdGgZLC7utL0WxkTDIKniHUX/wXnPjfVhM
	p4kjl0etR0ysSG01d/2GURLPRtqlsoRLgHQiiWqIfBELx25QEPJBT9j3QZoGoQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=YBCiDW9c;
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org";
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none)
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1735404030; a=rsa-sha256; cv=none;
	b=CVHB4CaprwzH/qSpxR0Wm/CA0vO2KNixEc3OXmTypAPT6SRdXQ1+uM65hgjDYJfpdPyYFy
	kwM4ort3V2wMKc2A3wcBCKuyUNALb8DU0qWBz1MOmheF6XD+knN9zYg7aq3mIX5yALmZA+
	E/8Nxbg/nXJwBy1sef6SMHCMuFxpzh6YFVfi3ojS9KgQPt9U1QZe6+pMKIvnDazh+OToF7
	prsfyHWDJd47ajOVdvDRlW3B6uaAlxR27Bdjj5304EqLETbBNYowlVwHn8AyCfTg7NGek2
	RUwJl2gqzuD8zDJyUC3VL1Ki2upj/Dodo12rIE2UJN0+oR70pg2b2YWGmirH/A==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id A47F319CE
	for <larch@yhetil.org>; Sat, 28 Dec 2024 17:40:30 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces@gnu.org>)
	id 1tRZJZ-0008G7-HD; Sat, 28 Dec 2024 11:05:21 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <manikulin@gmail.com>)
 id 1tRZJX-0008Fb-39
 for emacs-orgmode@gnu.org; Sat, 28 Dec 2024 11:05:19 -0500
Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <manikulin@gmail.com>)
 id 1tRZJV-00015C-7o
 for emacs-orgmode@gnu.org; Sat, 28 Dec 2024 11:05:18 -0500
Received: by mail-lf1-x12d.google.com with SMTP id
 2adb3069b0e04-53e3a37ae07so8712007e87.3
 for <emacs-orgmode@gnu.org>; Sat, 28 Dec 2024 08:05:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1735401910; x=1736006710; darn=gnu.org;
 h=content-transfer-encoding:in-reply-to:mail-followup-to:from
 :content-language:references:to:subject:user-agent:mime-version:date
 :message-id:sender:from:to:cc:subject:date:message-id:reply-to;
 bh=CilipKU0uEcjWRyYNOqO4flSlbeW43rKi8VY2WmhI+I=;
 b=YBCiDW9cGZszF7L2MMjpFJNfh96warbaiQsTzUv+GJWlxlH3tklQO1zsq1W8L4WfGI
 yoAO2C/tr4KFMi+n2e7hdfybETWn5LQITXktdS7rBskyVHmrh5FmIJyOVnP3Eme/w8GE
 YROM9esFk+vyuPlngHEHVh8v/8K/hYjVikLCsEvuS53IemlHkGbMW2z0cn2kYao1NYiB
 s9F8Kk7jQkhQsbqCgCSXM8tPqsG27YlqfRKKnLl61DTTV/WZpS0j1J3uVUb8baii6z16
 EKWPIncnArYDg3gPwuKwOifiYQ/n0P0eDqVWHNb00dn5xtF+TiO20rBUvEw75Q7MKHcv
 zEng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1735401910; x=1736006710;
 h=content-transfer-encoding:in-reply-to:mail-followup-to:from
 :content-language:references:to:subject:user-agent:mime-version:date
 :message-id:sender:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=CilipKU0uEcjWRyYNOqO4flSlbeW43rKi8VY2WmhI+I=;
 b=gneGGLJSJ6EYT603jMZULpkIVEezVbK4OMH4FdgffW+XucZTiuLpKNnaLcA9QShSLE
 YMm1Qqbd2L/6UDxcGnalTbtMK5N3otw04MeYD5XOhymSPwzPYE2k9YFkDK+CNLvj+vYP
 e5Nt43hYlEhMkqSMkAuuG4gW0Uq9z/FzzB7FWoKj/YbD3g27zKNOjBwqYruRWpzaDPzT
 +JE7U/AuokRwXnnRBXazXxjOSA6D81vOdc4chnnHytut3q2nwdes32ar0lIpT+0Kbopn
 MBOIIfIbu2ZtdJuRJV7PmSn9As5kxw4uiXUzXH6osza3PIRVt6hstuzTI0GlSwMvDbtk
 QwAQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCXiJWmfMPkM+UVQ0QuylAuRRw0vCwq6Ek8or44o7yrBeixRdZYTxhKuzD+jCZyDZamvAq/Ry2KX83RHJVk5@gnu.org
X-Gm-Message-State: AOJu0Yy9JOXBjeZxLE9Dz8eh8j+ZYyPtlSEUDase3K5AcQPLKxAI/Kd2
 oJ4PalsyPS7yrEbikH+iKMvgwE4ogw25UvhGKGUqKe1xe1qDMsmO
X-Gm-Gg: ASbGncsCXuxRYkQnk1lJTcvKtDLLmAcWQBjGz0itFPphKkB8WazfLlDoCZeDBbiPD3U
 n7k3kJq2tW5DOtGZrN4RlRaFOBOdbyOXlxSHUpvNK+a32lau3v0XLX/gKrc0atY0M2UoHV7VC/i
 3kS8pY1SO7X+MeXg7Ig3JyCRqSjEMeCkX+C7K9b1VtCQ+WX3eYogrvsufbnILX7MkrPvC6CqzT5
 fkpXwrp/2dui6r43WFHIiTCixNPquIwcVx+HK0waLuLKJQXt2G9PScedjLkzVwYZ7PDnux/Aebr
 6ZI=
X-Google-Smtp-Source: AGHT+IElxb4Vn7ESKt4WrOPyYrmTNzrnpnOc0UmMi5P9Z1wnyCtUpk7g5hpwWdVlnPRLpFleYDGf2A==
X-Received: by 2002:a05:6512:3c8c:b0:541:3587:9d45 with SMTP id
 2adb3069b0e04-542295246c7mr9523673e87.4.1735401909540; 
 Sat, 28 Dec 2024 08:05:09 -0800 (PST)
Received: from [192.168.1.149] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 2adb3069b0e04-54223831fd3sm2696724e87.253.2024.12.28.08.05.08
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 28 Dec 2024 08:05:09 -0800 (PST)
Message-ID: <9b2e7d75-e415-4629-9cac-23d3c11d4d10@gmail.com>
Date: Sat, 28 Dec 2024 23:05:08 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [BUG] Org-protocol bookmarklets in Firefox behaving badly after
 recent upgrade [9.6.15 (release_9.6.15 @ /usr/share/emacs/29.4/lisp/org/)]
To: Rehan Deen <rehan.deen@gmail.com>, emacs-orgmode@gnu.org
References: <87pllx7219.fsf@gmail.com>
 <eedf34d6-070d-471f-a9f5-626d7bc86f91@gmail.com> <877c7jq5dz.fsf@gmail.com>
Content-Language: en-US, ru-RU
From: Max Nikulin <manikulin@gmail.com>
Mail-Followup-To: Rehan Deen <rehan.deen@gmail.com>, emacs-orgmode@gnu.org
In-Reply-To: <877c7jq5dz.fsf@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=2a00:1450:4864:20::12d;
 envelope-from=manikulin@gmail.com; helo=mail-lf1-x12d.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-orgmode@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Spam: Yes
X-Migadu-Scanner: mx12.migadu.com
X-Migadu-Spam: Yes
X-Spam-Score: 10.00
X-Migadu-Queue-Id: A47F319CE
X-Migadu-Spam-Score: 10.00
X-TUID: g4bH79h7HdP3

On 28/12/2024 20:55, Rehan Deen wrote:
> Max Nikulin writes:
>>> Interestingly, the `org-capture` extension for Firefox from
>>> https://github.com/sprig/org-capture-extension continues to work without
>>> producing this issue (i.e. the link is captured and the webpage
>>> continues to be displayed properly).
>>
>> So Firefox and Chromium behavior content scripts has diverged.
>> Chromium asks permission on behalf of the current web page while
>> Firefox treats as the add-on permission. Likely it is a result of
>> <https://bugzilla.mozilla.org/1792138>
>> "(CVE-2023-25729) Extensions are not prompted before opening external
>> schemes, leading to security issues"
[...]
> I suppose it means that we should expect some further disruptive behavior
> to extensions (not just the insecure bookmarklets) using Org-protocol,
> but as you indicate it sounds like it is a wider problem.

I like that Firefox associate the external handler permission with the 
add-on. I am against granting permission to web sites. I do not think 
that Chromium will follow. Since content scripts working with page 
elements, they will likely be afraid that page JavaScript may fool 
content script trying to inject something malicious into external 
protocol URL.

There is extension API that allows to launch external protocol handler 
without content scripts. However there are still some corner cases.