External links should request user confirmation

[jumde]

Description:

Third party apps can be opened from Brave without user confirmation

Steps to Reproduce

1. Navigate to mailto://[email protected]

Actual result:
Mail opens

Expected result:
Request user confirmation before opening external apps.

Reproduces how often: [Easily reproduced, Intermittent Issue]
Everytime

Brave Version:
1.7 (18.11.30.03)

Device details:
iPhone SE/iOS 12.1

[kylehickinson]

Should a popup be brought up for any non web URL scheme or just non-first-party Apple app schemes?

[tildelowengrimm]

Any scheme which will open an app other than Brave.

[kylehickinson]

Port copy from 1.6, however also need to have this alert come up for all apps not just third-party: https://github.com/brave/browser-ios/blob/development/Client/Frontend/Browser/BrowserViewController/BrowserViewController+WKNavigationDelegate.swift#L191

[jumde]

One more test case:

1. Install appear.in from app store
2. Navigate to appear.in/brr
3. Click Open in App - No user confirmation is needed

[kjozwiak]

Example of the modal notification:

Verification PASSED on iPhone 6s running iOS 13.2.2 using 1.14 (19.11.22.15)

• ensured that navigating to mailto://[email protected] displayed the above modal
• ensured that selecting Don't Allow doesn't load Mail
• ensured that selecting Allow correctly opens the Mail application
• went through External links should request user confirmation #551 (comment) and ensured the above modal wasn't being displayed

Verification PASSED on iPhone 6s+ running iOS 12.4.1 using 1.14 (19.11.22.15)

• ensured that navigating to mailto://[email protected] displayed the above modal
• ensured that selecting Don't Allow doesn't load Mail
• ensured that selecting Allow correctly opens the Mail application
• went through External links should request user confirmation #551 (comment) and ensured the above modal wasn't being displayed

Verification PASSED on iPad Air 3rd Gen running iOS 13.3 using 1.14 (19.11.22.15)

• ensured that navigating to mailto://[email protected] displayed the above modal
• ensured that selecting Don't Allow doesn't load Mail
• ensured that selecting Allow correctly opens the Mail application
• went through External links should request user confirmation #551 (comment) and ensured the above modal wasn't being displayed

Verification PASSED on iPad Mini 4 running iOS 12.4.1 using 1.14 (19.11.22.15)

• ensured that navigating to mailto://[email protected] displayed the above modal
• ensured that selecting Don't Allow doesn't load Mail
• ensured that selecting Allow correctly opens the Mail application
• went through External links should request user confirmation #551 (comment) and ensured the above modal wasn't being displayed

[anthonypkeane]

If the users presses Don't allow, what happens @kylehickinson

Will the user be prompted again next time they visit that site and perform the same action?

[kylehickinson]

@anthonypkeane They will continue to be prompted each time

[jumde]

@kylehickinson - can we use AlertPopupView instead of the regular modal. It seems phishable. I can open a follow up issue for that

[kylehickinson]

I mean, we could, however webpage alerts title's are always their origins as seen here:

brave-ios/Client/Frontend/Browser/BrowserPrompts.swift

Lines 138 to 144 in 89149ed

	private func titleForJavaScriptPanelInitiatedByFrame(_ frame: WKFrameInfo) -> String {
	var title = "\(frame.securityOrigin.`protocol`)://\(frame.securityOrigin.host)"
	if frame.securityOrigin.port != 0 {
	title += ":\(frame.securityOrigin.port)"
	}
	return title
	}

[srirambv]

@jumde we can add a new issue and mark it for next release unless its a high priority for the current one

[srirambv]

Verification passed on iPhone XR with iOS 13.2 running 1.14(19.11.22.15)

• Verified visiting mailto://[email protected] shows the confirmation message
  
• Verified clicking Allow swithces to Mail app and opens an email with the email [email protected]
• Verified clicking Don't Allow doesn't load the Mail app
• Verified test plan from External links should request user confirmation #551 (comment)

[kjozwiak]

If the users presses Don't allow, what happens @kylehickinson

As per @kylehickinson via #551 (comment), the modal goes away and the user is prompted again. Also went through those cases via #551 (comment).

@jumde as per #551 (comment), is this something we need to fix in this version or can it moved into the next release? We'll need to know ASAP so someone can start working on it. Can you create a new issue or would you like QA to do it?

[kjozwiak]

Talked to @jumde who mentioned using AlertPopupView instead of a regular modal isn't urgent and can be addressed in the next version. Created #2039 as a follow up and added it into https://github.com/brave/brave-ios/milestone/33.