Url protocol handler security warnings

Question

I have a custom url protocol handler for urls of the form myhandler://path/to/something. This is registered to a locally installed client application that handles the requests and does "the right thing".

However, when I have a link of that form in outlook (2007), outlook displays a big scary warning that says:

Microsoft office has identified a potential security concern

This location may be unsafe ...

Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources.

Do you want to continue?

I am aware of the outlook registry key that would enable me to disable these warnings entirely (http://support.microsoft.com/?kbid=925757), but I don't want to be a "bad citizen" on the machine.

Is there some way that I can "whitelist" my url protocol handler to indicate that I have done due security diligence without opening up access to other URL protocol handlers on the machine that might not be hardened to malicious user input?

Outlook does not prompt for URLs of the form http: https: mailto: (and perhaps others). Is this list hardcoded somewhere deep in the bowels of office or is there some way to add my specific protocol to the list?

Answer 1

Looking at how to do this for Outlook 2013, I used @bmadtiger's answer to figure out the path for a registry key to trust a single protocol. For Outlook 2013, the Policies\Microsoft\Office\15.0\Common key does not exist by default, so you have to add it yourself.

So, to trust a single protocol, add the following key:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\{version}\Common\Security\Trusted Protocols\All Applications\{protocol}:

Where {version} is the internal version of office and {protocol} is the protocol that you want to trust.

• Office 2010 {version} is 14.0
• Office 2013 {version} is 15.0
• Office 2015 {version} is 16.0

For example, for Office 2013 and protocol ttstudio:

KEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\ttstudio:

If you're looking for a registry file to do so, simply paste the following into a .reg file, changing {version} and {protocol} as necessary, and then execute said registry file:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\{version}\Common\Security\Trusted Protocols\All Applications\{protocol}:]

Answer 2

I recently had the same problem and could resolve it. The registry keys where you have to register your protocol handler are described in this kb article.

Note that it refers to a hotfix which needs to be installed, but for me it worked without installing anything. Maybe the hotfix was already distributed with the windows update service.

Answer 3

Maybe it wasn't there to start with, but the link you quoted above (http://support.microsoft.com/?kbid=925757), now has the answer you were looking for - further down under the heading "How to enable or disable hyperlink warnings per protocol", which has similar information to Zarat's answer except that it is specific to both Office 2007 and 2010 and doesn't require the hotfix.

Also, as the registry keys indicate this works for ALL Office applications, not just Outlook.

Worked first time for me in Excel 2010

Answer 4

Since you've got things squared for when the url is opened in a browser (but not Outlook), my work-around suggestion is:

Give people what they expect, a regular http url. Then have your server re-direct to the special url with the special handler. Or give them a file url and have the contents of the file be a Javascript re-direct to the real place.

I believe Apple does something similar in its references to iTunes-handled links such as http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=80028216

Added, this technique also enables you to show a splash page in the browser with instructions on what to do if your software has not been installed/configured yet on the local machine.