theia icon indicating copy to clipboard operation
theia copied to clipboard

Published 20 hours ago verified publisher icon eclipse-theia

Open external links in user browser for Theia electron app

Open rschnekenbu opened this issue 10 months ago • 3 comments

Since https://github.com/eclipse-theia/theia/pull/11048, the window open handler for electron application is set to be always a secondary window. For all external links, we have to rely on the opener-service to delegate properly to an external application with the 'http' open handler (https://github.com/eclipse-theia/theia/blob/master/packages/core/src/browser/http-open-handler.ts).

I would rather expect the Theia electron to open any external links by default with an external browser, and only manually code the opening of a secondary window when required.

This may however cause some issues with security (https://www.electronjs.org/docs/latest/tutorial/security#13-disable-or-limit-navigation)

rschnekenbu avatar Apr 11 '24 10:04 rschnekenbu

@rschnekenbu "secondary window" has a technical meaning in Theia. From the the context, I suspect you mean a "new Theia window"?

tsmaeder avatar Apr 12 '24 07:04 tsmaeder

@rschnekenbu it's not clear to me what is actually happening. Do you have steps to reproduce?

tsmaeder avatar May 08 '24 07:05 tsmaeder

Because if I type a https link in an editor (https://github.com) and ctrl-click it, opens in the browser.

tsmaeder avatar May 08 '24 08:05 tsmaeder

Hi @tsmaeder,

Within Electron apps, external links are best opened in the system's browser instead of another Electron window. See for example this code which is necessary just to open a link outside of Electron: https://github.com/eclipse-theia/theia-blueprint/blob/bfa92d03e9bf6f572e4410066e856883df5b011f/theia-extensions/product/src/browser/branding-util.tsx#L20-L33

If one renders a normal <a href to some domain, Theia by default will open another Electron window and render it there. It's usually not recommended to do that as the user could navigate to any page then and might visit or be lead to malicious sites which could exploit the "older" Electron Browser.

Typically Electron apps are configured so that any link opens the system's browser and only selected whitelisted ones are allowed to be opened in another Electron window.

sdirix avatar Jun 04 '24 12:06 sdirix

I'm just not very sure this is a good idea: I know VS Code does it here, but on the other hand, the electron security doc explicitly warns against it. Enabling opening random links sounds like handing the adopters a big gun to shoot themselves in the foot with. @msujew any input on this one?

tsmaeder avatar Jun 05 '24 07:06 tsmaeder

@tsmaeder IMO it would be fine to at least open this up to open all http(s) links via the OS's shell. Maybe show a warning for everything else? I.e. "the application has requested to open <url>. Are you sure you want to open this link using your operating system?". Looking at some of the other Electron software I have on my PC, it seems like everyone just disregards the Electron security advice (especially Microsoft, which is the largest contributor to Electron). MS Teams, VS Code, Slack, etc all just open http links in the browser without hesitation.

msujew avatar Jun 05 '24 08:06 msujew