API: Support protocol handlers #46256
Comments
Yeah, technically that allows to implement many things but also a little sneaky Why not explicit API like an activation event and some |
|
For security, the main risk is not that the extension itself would be malicious but that it may unknowingly expose commands that could be used in a dangerous way. The classic example would be a friends list extension that wants to let people easily friend each other by clicking on a link. I then come along and craft a url such as: Just something to be aware of. At the very least, we should document that extensions must prompt before performing potentially dangerous operations. We could also prompt ourselves, something like: "Are you sure you want to activate extension X?" |
|
Feedback from API discussion:
|
|
Proposed API pushed! Created #48426 to promote it to public soon. |
joaomoreno
added
feature-request
From #45685
Problem
There is no current way for extension to react on URLs being open with the
vscode:scheme. Allowing extensions to do so can enable many different scenarios. A specific one is to provide Clone URLs in Github/TFS which would simply invoke VS Code to clone a URL, using its git extension.Security Concerns
Allowing extensions to handle a URL doesn't seem to open any additional security concerns, since it's already possible to run arbitrary code by having a user click a URL while taking advantage of the
*activation event.There is no added API for this to happen, since we can leverage commands to handle URLs and the
contributesmanifest field to expose a URL handler.An example URL format would be:
Proposal
I suggest to keep it simple and allow a single URL handler per extension:
The
handleURLCommandwould be invoked with a single instance ofvscode.Urias a single argument:The text was updated successfully, but these errors were encountered: