proposals icon indicating copy to clipboard operation
proposals copied to clipboard

Published 20 hours ago verified publisher icon WICG

Send To Bookmark(let) API

Open SoniEx2 opened this issue 1 year ago • 3 comments

Introduction

Sometimes you wanna be able to share links between websites. The current approach is to copy and paste the link, or alternatively for a given web service to implement proprietary sharing APIs from other websites.

Use Cases (Recommended)

Fedi-To wants to wrap links in an open redirect so that users can customize their web experience more effectively. It should also be possible to easily share links to e.g. tweets on something like discord.

Goals (Optional)

The proposal must allow the user to pick arbitrary links to send to another - also arbitrary - webpage or script. This webpage or script could e.g. change the link before copying it to the clipboard, display a wrapped link (that can be further copied to clipboard/shared), or provide an interface for selecting an user to send the link to.

Non-goals (Optional)

The proposal is not concerned with allowing websites to more easily create cross-website "share" buttons.

Proposed Solution

We believe right-clicking a link or long-pressing a link should bring up a menu entry called "Send to Bookmark" or "Share to Bookmark", which then brings up the user's bookmarks. When selected, the bookmark gets opened and gets a Referer header - or maybe a purpose-built header - with the selected link. The selected link should ideally also be accessible to javascript.

Examples (Recommended)

It would allow us (Fedi-To) to provide a bookmark for converting a link such as

https://chaos.social/@SoniEx2/110378417159272083

into

https://fedi-to.net/go?h=5&target=web%2Bap://chaos.social/@SoniEx2/110378417159272083

for sharing on other platforms.

Alternate Approaches (Optional)

While it's perfectly viable to do something like registerSendToHandler, similar to registerProtocolHandler and the like... nobody likes the workflow that would provide. Letting the user make their own bookmarks seems way better.

Privacy & Security Considerations

No considerable privacy or security concerns are expected, but we welcome community feedback.

Let’s Discuss (Optional)

Interaction with bookmarklets?

SoniEx2 avatar May 16 '23 14:05 SoniEx2

Anyone who sends a request can set the referrer header. So if there are any security implications at all, this might be a bit optimistic.

chaals avatar May 21 '23 20:05 chaals

The Referer header is a forbidden header, so there's only so much you can do with it. But yes, it is possible to inject the current page's URL into it through a link. This doesn't seem like much of an issue tho - you could also be tricked into sharing a malicious link with a web app, so it must be handled either way.

The usual mitigations apply: don't do automated actions on GET, be careful with untrusted input, etc.

SoniEx2 avatar May 21 '23 20:05 SoniEx2

(The only security implication, of using the referer header specifically, is that you get to far more easily see what websites/social media apps are leaking the referer, so you can demand a stronger referer policy from them for user links, or switch apps altogether. So we feel like putting this kind of thing at the average user's reach would do very good things for user privacy.)

SoniEx2 avatar May 27 '23 10:05 SoniEx2