Over the past few days, we’ve gotten several questions from customers about how you can invoke third-party applications on Windows by specially-crafted URLs that invoke Application URL protocol handlers (Firefox’s “firefoxurl:” has been the most discussed example). I wanted to provide some additional context on the issue and clarify IE’s design.
Custom URL handlers enable third party applications (such as streaming media players and internet telephony applications) to directly launch from within another application – commonly a web browser but even using a command line from Start > Run. For example, the “mailto:” custom URL handler enables you to click on a link and start writing an email. To make these custom URL handlers more useful, they can accept parameters that provide more specific instructions. For instance mailto: accepts parameters like subject and body.
The number of potential applications (and protocol handlers) is effectively limitless, allowing for many new and exciting ways to enrich the Web. However, as with many extension models, there are security implications. In this example, one potential threat is that the custom URL may have dangerous parameters, such as strings that are too long and might cause a buffer overflow. The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters.
Protected Mode in IE7 in Windows Vista provides some additional protection when a user clicks on Application URL Protocol links by notifying the user that “A website wants to open web content using this program on your computer” and requiring user approval before invoking the actual application.
URL protocol handlers are one of the ways we enable rich experiences in browsing, however, as with any other program that accepts untrusted data from the web, URL protocol handling applications must be carefully designed based on the threat environment.
edit: change makes to make in third paragraph.