Microsoft Windows / IE Related Notes
- In most cases, the invoked URL is injected to replace the %1 parameter in the registered \Shell\Open\Command.
- Windows 7 and later also support protocol invocation via the IExecuteCommand::DelegateExecute COM mechanism, instead of using the Shell Open Command. Some browsers do not yet properly support DelegateExecute because they first look for a Shell Open Command in the registry before passing a URL to ShellExecute.
- Thanks to their simplicity, and to the fact that the Windows ShellExecuteEx function can easily be used to launch such protocols, all major Windows web browsers (IE, Firefox, Chrome, Safari, Opera) support Application Protocols. However, there are some important differences in behavior between browsers.
- despite their simplicity, Application Protocols have nevertheless been the source of a large number of vulnerabilities over the years, and thus nearly all browsers (except Safari) will prompt the user before launching the specified program.
- In Internet Explorer 7 and later on Windows Vista and later, launching an application to handle an Application Protocol URL will also consult the Protected Mode Elevation policy for the target executable. By default, this policy is that the user will be prompted for permission to launch the program at the Medium Integrity Level:
- Another behavior to be aware of is that some callers will decode or encode URLs before passing them along to the target program. For historical reasons, Internet Explorer performs a single percent-decoding pass on the URL before calling ShellExecute; by default IE9 and IE10 still perform this decoding unless the protocol’s registry key contains a REG_DWORD named UseOriginalUrlEncoding with value 0x1. However, the Windows Shell’s Start > Run command performs no such decoding pass.
- On Windows 8, Apps may use their manifest to register to handle Application Protocols. Protocol activation APIs are more cleanly implemented in Metro-style apps
- The msProtocols object was removed for the IE10 release preview. Instead use the msLaunchUri api to launch a protocol,
- Web developers often ask if there’s some way to detect whether the
client has a given protocol available. Generally, the answer is no,
this isn’t possible
- lpParameters: Type: LPCTSTR Optional. The address of a null-terminated string that contains the application parameters. The parameters must be separated by spaces. If the lpFile member specifies a document file, lpParameters should be NULL.
- lpVerb: Type: LPCTSTR A string, referred to as a verb, that
specifies the action to be performed. The set of available verbs depends
on the particular file or folder. Generally, the actions available from
an object's shortcut menu are available verbs. This parameter can be
NULL, in which case the default verb is used if available. If not, the
"open" verb is used. If neither verb is available, the system uses the
first verb listed in the registry. The following verbs are commonly
How to handle URI activation (Windows Store apps using C#/VB/C++ and XAML)
- Windows allows an app to register to become the default handler for a certain URI scheme name. Both desktop and Windows Store apps can register to be a default handler for a URI scheme name
- Any app or website can use your URI scheme name, including malicious ones. So any data that you get in the URI could come from an untrusted source. You should never perform a permanent action based on the parameters that you receive in a URI.
- If you are creating a new URI scheme name for your app, be sure to follow the guidance in RFC 4395. This ensures that your name meets the standards for URI schemes.
- Provides data when an app is activated because it is the app associated with a URI scheme nam
- The received URI is eventArgs.Uri.AbsoluteUri
How to handle file activation (Windows Store apps using C#/VB/C++ and XAML)
Association launching sample
File type and URI associations model
Guidelines for file types and URIs (Windows Store apps)
Guidelines and Registration Procedures for New URI Schemes
About URL Monikers
- A moniker is a COM object that identifies an object and provides services to allow other components to obtain a pointer to that object. The system-provided moniker class supports asynchronous binding to a Uniform Resource Locator (URL).
- Monikers connect to and activate objects, whether they are in the same machine or across a network. For example COM uses monikers to establish a network connection. They are also used to identify, connect to, and run OLE compound document link objects. In this case, the link source acts as the moniker provider and the container holding the link object acts as the moniker client.
are used as the basis for linking in OLE. After a moniker is bound to
an object, the moniker's IMoniker interface can be used to locate,
activate, and access the bound object without having any other specific
information on where the actual object is located. The COM moniker
architecture provides a convenient programming model for working with
URLs. The moniker architecture supports extensible and complete name
parsing, as well as printable names. Because URLs frequently refer to
resources across high-latency networks, binding a moniker to a URL
synchronously impacts performance. This is because the process has to
wait for responses from the network before completing the binding. For
this reason, the URL moniker class supports asynchronous as well as
synchronous binding. For more information, see Creating and Using URL
Creating and Using URL Monikers
- szExtraInfo,Behavior of this field is moniker-specific. For URL monikers, this string is appended to the URL when the bind operation is started. Like other OLE strings, this value is a Unicode string that the client should allocate using CoTaskMemAlloc. The URL moniker frees the memory later.
- szCustomVerb,BSTR specifying a protocol-specific custom action to
be performed during the bind operation (only if dwBindVerb is set to
Asynchronous Pluggable Protocols
About Asynchronous Pluggable Protocols
- A URL follows the syntax described in RFC 1738, which specifies a
protocol scheme followed by a scheme-specific portion
- Uniform Resource Locators (URL)
- Internet Explorer uses two mechanisms for registering new URL protocol handlers. The first method is to register a URL protocol and its associated application so that all attempts to navigate to a URL using that protocol launch the application (for example, registering applications to handle mailto: or news: URLs). The second method uses the Asynchronous Pluggable Protocols API, which allows you to define new protocols by mapping the protocol scheme to a class.
- An asynchronous pluggable protocol handler is an apartment-threaded COM object that handles any calls made to the protocol scheme for which it is registered
- When a client application makes a request, Urlmon looks up the protocol scheme in the registry and creates an instance of the protocol handler registered for that protocol scheme. If the protocol scheme was successfully mapped to the class identifier (CLSID) of a protocol handler, CoCreateInstance is called with that class asking for an IClassFactory interface. An instance of the protocol handler is obtained with IClassFactory::CreateInstance.
- To register a custom URL protocol, add a key for the protocol scheme of the custom URL protocol to the registry under HKEY_CLASSES_ROOT\PROTOCOLS\Handler\protocol_scheme. Under that key, the string value, CLSID, must be set to the CLSID of the protocol handler.
- The protocol handler cannot use any Windows messaging to switch back to the thread it was instantiated on, since the protocol handler must work on non-GUI threads.
- A pluggable MIME filter is an asynchronous pluggable protocol that receives data through a stream, performs some operation on the data, and returns a data stream. The output data might be in a different format from the original stream.
Asynchronous Pluggable Protocol Overviews
Registering an Application to a URL Protocol
URL Monikers Overviews and Tutorials
Handling MIME Types in Windows Internet Explorer
MIME Type Detection in Windows Internet Explorer
- MIME type Detection Algorithm discussion
Auto-Launching apps using file and URI associations for Windows Phone 8
Launcher.LaunchFileAsync(IStorageFile) | launchFileAsync(IStorageFile) method
Understanding the Protected Mode Elevation Dialog
Custom URL Protocol for Invoking Application
Custom HyperLinks Using a Generic Protocol Handler
Custom Hyperlinks Using Asynchronous Pluggable Protocols
A windows 8 trick: Protocol activation of apps (and the nick app)
Using protocol handlers as a ultra thin layer of integration
- see ProtocolHandlerDemo.zip
Firefox Related Notes
Web-based protocol handlers
- Protocols are registered in the appxmanifest for the project
- On Windows, protocol registration is done by the operating system
Linux Related Notes
[Ubuntu] Using a custom protocol handler in Firefox to run a shell script?
Make a link in the Android browser start up my app?
- DO NOT use your own custom scheme
Launch custom android application from android browser
- Per Google Engineer: Use an
Android Intents with Chrome
- ...Android lets you launch apps directly from a web page via an Android Intent.
- ...an intent anchor and embed that into the page so the user can launch the app. Flexible approach...and the ability to pass extra information into the app via Intent Extras.
Intents and Intent Filters (see: Extras)
- Key-value pairs that carry additional information required to accomplish the requested action. Just as some actions use particular kinds of data URIs, some actions also use particular extras
- ...add extra data with various putExtra() methods, each accepting two parameters: the key name and the value...create a Bundle object with all the extra data, then insert the Bundle in the Intent with putExtras()
How to launch external applications using custom protocols (rock:// instead of http://)
- python example..
- see last line (beginning with @="\"python\")...call python...handler script
- also see: Registering a Protocol on Linux
Apple OS X References
Launching External Applications using Custom Protocols under OSX
How do I configure custom URL handlers on OS X?
6.6 System state and capabilities
220.127.116.11 Custom scheme and content handlers
- Application URL is a trick so that you can launch any application on your local computer from your browser
- Both Chromium and Google Chrome do not allow the browser or it's extensions to access local files, so you cannot create an extension that would call a program already on your machine
- In order for this to work, it requires you to add a new registry key to the Windows Registry to register a new URL Protocol.
Chrome doesn’t handle custom protocols correctly - (still ?)
- see: This can be adjusted in Chrome's Local State file.
- servlet based approach would have security issues...