Url protocol handler security warnings

StarBright picture StarBright · Feb 11, 2010 · Viewed 8.9k times · Source

I have a custom url protocol handler for urls of the form myhandler://path/to/something. This is registered to a locally installed client application that handles the requests and does "the right thing".

However, when I have a link of that form in outlook (2007), outlook displays a big scary warning that says:

Microsoft office has identified a potential security concern

This location may be unsafe ...

Hyperlinks can be harmful to your computer and data. To protect your computer, click only those hyperlinks from trusted sources.

Do you want to continue?

I am aware of the outlook registry key that would enable me to disable these warnings entirely (http://support.microsoft.com/?kbid=925757), but I don't want to be a "bad citizen" on the machine.

Is there some way that I can "whitelist" my url protocol handler to indicate that I have done due security diligence without opening up access to other URL protocol handlers on the machine that might not be hardened to malicious user input?

Outlook does not prompt for URLs of the form http: https: mailto: (and perhaps others). Is this list hardcoded somewhere deep in the bowels of office or is there some way to add my specific protocol to the list?

Answer

zastrowm picture zastrowm · Jan 7, 2016

Looking at how to do this for Outlook 2013, I used @bmadtiger's answer to figure out the path for a registry key to trust a single protocol. For Outlook 2013, the Policies\Microsoft\Office\15.0\Common key does not exist by default, so you have to add it yourself.

So, to trust a single protocol, add the following key:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\{version}\Common\Security\Trusted Protocols\All Applications\{protocol}:

Where {version} is the internal version of office and {protocol} is the protocol that you want to trust.

  • Office 2010 {version} is 14.0
  • Office 2013 {version} is 15.0
  • Office 2015 {version} is 16.0

For example, for Office 2013 and protocol ttstudio:

KEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols\All Applications\ttstudio:

If you're looking for a registry file to do so, simply paste the following into a .reg file, changing {version} and {protocol} as necessary, and then execute said registry file:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\{version}\Common\Security\Trusted Protocols\All Applications\{protocol}:]