Are Custom URI Handles EEEEVil? Or Workable? Alternatives?

From IIW
Jump to: navigation, search

Are custom URI handlers EEEEEEvil? (TH2G)

Convener: Bill Mills

Notes-taker(s): Bill Mills

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Posed the initial question.

Discussing one of the possible ways to protect the URI handler, Saleforce addt’l noce explained (we hope).


⁃ Push notifications mentioned as an alternative.

⁃ Localhost: $port mentioned as an alternative.

⁃ How do you get the app back in focus on mobile apps.

⁃ “Colluding 3rd party server”: probably a “long poll”. Workable but you still need a way to have the web flow put the focus back on the phone.

⁃ Nonce checking: the app provides a nonce that must be checked before doing anything. *** This is probably the winner

Nonce checking would be where the app registers a URI for callback and prepends a per event or per app non-guessable (probably a random number, but could be a deviceID). The URI handler can then check that prefix before doing any more processing. For example:


Another good recommendation! Limit your token callback to just that purpose. If you need other custom URI handlers register a second one.