Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Url protocol handler security warnings

I have a custom url protocol handler for urls of the form myhandler://path/to/something. This is registered to a locally installed client application that handles the requests and does "the right thing".

However, when I have a link of that form in outlook (2007), outlook displays a big scary warning that says:

Microsoft office has identified a potential security concern

This location may be unsafe ...

Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources.

Do you want to continue?

I am aware of the outlook registry key that would enable me to disable these warnings entirely (http://support.microsoft.com/?kbid=925757), but I don't want to be a "bad citizen" on the machine.

Is there some way that I can "whitelist" my url protocol handler to indicate that I have done due security diligence without opening up access to other URL protocol handlers on the machine that might not be hardened to malicious user input?

Outlook does not prompt for URLs of the form http: https: mailto: (and perhaps others). Is this list hardcoded somewhere deep in the bowels of office or is there some way to add my specific protocol to the list?

like image 341
StarBright Avatar asked Feb 11 '10 16:02

StarBright


People also ask

What is a URL handler?

The URL Handler is a Sling Model and can be adapted either from a request or a resource. It automatically reads the context-specific configuration for the Site URLs based on the resource path of the current request or the path of the resource adapted from. Example: UrlHandler urlHandler = request.

What is a protocol handler used for?

A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for "mailto:" links.

What is Msdt URL protocol used for?

MSDT is a utility used to troubleshoot and collect diagnostic data for analysis by Microsoft Support. According to Microsoft's documentation, MSDT “invokes a troubleshooting pack at the command line or as part of an automated script and enables additional options without user input.”


2 Answers

Looking at how to do this for Outlook 2013, I used @bmadtiger's answer to figure out the path for a registry key to trust a single protocol. For Outlook 2013, the Policies\Microsoft\Office\15.0\Common key does not exist by default, so you have to add it yourself.

So, to trust a single protocol, add the following key:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\{version}\Common\Security\Trusted Protocols\All Applications\{protocol}:

Where {version} is the internal version of office and {protocol} is the protocol that you want to trust.

  • Office 2010 {version} is 14.0
  • Office 2013 {version} is 15.0
  • Office 2015 {version} is 16.0

For example, for Office 2013 and protocol ttstudio:

KEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\ttstudio:

If you're looking for a registry file to do so, simply paste the following into a .reg file, changing {version} and {protocol} as necessary, and then execute said registry file:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\{version}\Common\Security\Trusted Protocols\All Applications\{protocol}:]
like image 93
zastrowm Avatar answered Oct 24 '22 01:10

zastrowm


I recently had the same problem and could resolve it. The registry keys where you have to register your protocol handler are described in this kb article.

Note that it refers to a hotfix which needs to be installed, but for me it worked without installing anything. Maybe the hotfix was already distributed with the windows update service.

like image 22
Zarat Avatar answered Oct 24 '22 01:10

Zarat