Add security faq around external intents
Mainly this links to the real documentation, but this should
make it easier for reporters and shepherds to find this
information.
Bug: N/A
Change-Id: I57fca75c2a837d3bfff3aa27e60ceea836a3b3a1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6013700
Reviewed-by: Will Harris <[email protected]>
Commit-Queue: Alex Gough <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1381443}
diff --git a/docs/security/faq.md b/docs/security/faq.md
index c90cd04b..6a86296 100644
--- a/docs/security/faq.md
+++ b/docs/security/faq.md
@@ -467,6 +467,14 @@
Other cases covered by this section include leaving a debugger port open to
the world, remote shells, and so forth.
+<a name="TOC-If-a-website-can-open-an-android-app-via-an-intent"></a>
+### If a website can open an Android app via an intent is this a security bug?
+
+No - websites can link to external handlers or applications - but there are
+restrictions around requiring a user gesture and the type of intent that can
+be launched. Full details are available in the
+[external_intents](../../components/external_intents/README.md) documentation.
+
<a name="TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability-"></a>
### Does entering JavaScript: URLs in the URL bar or running script in the developer tools mean there's an XSS vulnerability?
