the content vista returns when parental controls is enabled has an url that we do not support (wpc://request/?id=xxxx,url=xxxx). Need to figure out if we should "enable" this protocol so that there isn't any firefox dialog when the url is clicked on. Right now, if you click on this url, we get a external protocol dialog.

on vista, we probably should add: pref("network.protocol-handler.external.wpc", true); This has to be a runtime addition, i think -- unless we think it is safe to open this up on all versions of windows. Alternatively, we do nothing and the user will get a dialog when clicking on this sort of URL in the parental controls UI. Thoughts?

IE7 on vista honors this url scheme from remote content... not sure why.

Is this intended for 2.0.0.2?

Would the IE Tab extension, basically embedding IE in Firefox, resolve this?

Dan, this yields the same behavior as ie7 on vista. Basically, webcontent can create a wpc url. I am not sure we ever want to allow that... yet IE7 allows it.

dveditz: Do we want to take this for the upcoming release? If so, let's get this landed soon. If not, we should minus this as a blocker.

I'm leaning toward leaving this out just so we're not exposed to any untested security holes in this new Vista feature. Users who actually use it can simply click "OK" on the confirmation dialog and even set it to not ask in the future (what this patch would make the default), and users who don't use the feature have a smaller attack surface.

When I was testing this today, I think the user experience is really bad (Most users won't understand all that gobbledygook), but I defer to dveditz's judgment concerning the security implications of trying to fix this.

Removing blocking flag, but leaving wanted so we can consider this for the next release.

Comment on attachment 251227 [details] [diff] [review] allows wpc urls without warning. r-, this doesn't seem to help without also setting the corresponding warn-external pref. In fact, you don't need to set "external" to true since true is the default, you'd set that to false if you never wanted to run the external program. Otherwise I guess I'm OK with this approach. If there's an exploitable flaw in the wpc:// scheme it's a MS Vista flaw.

Comment on attachment 251227 [details] [diff] [review] allows wpc urls without warning. odd. this seam to work for me. Maybe the profile at the time had the pref you stated... but i am pretty sure I tested with a clean FF2 profile.

Comment on attachment 251227 [details] [diff] [review] allows wpc urls without warning. oh... s/external/warn-external

Note the behavior has changed here since the content handling has been reworked. There's a bug with this where if you choose always remember, it forgets and asks you again the next time. Still not a very good user experience due to the weird app description.