Are Custom URI Handles EEEEVil? Or Workable? Alternatives?
Are custom URI handlers EEEEEEvil? (TH2G)
Convener: Bill Mills
Notes-taker(s): Bill Mills
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Posed the initial question.
Discussing one of the possible ways to protect the URI handler, Saleforce addt’l noce explained (we hope).
⁃ Push notifications mentioned as an alternative.
⁃ Localhost: $port mentioned as an alternative.
⁃ How do you get the app back in focus on mobile apps.
⁃ “Colluding 3rd party server”: probably a “long poll”. Workable but you still need a way to have the web flow put the focus back on the phone.
⁃ Nonce checking: the app provides a nonce that must be checked before doing anything. *** This is probably the winner
Nonce checking would be where the app registers a URI for callback and prepends a per event or per app non-guessable (probably a random number, but could be a deviceID). The URI handler can then check that prefix before doing any more processing. For example:
Another good recommendation! Limit your token callback to just that purpose. If you need other custom URI handlers register a second one.