I think there are at least three potential issues:
-
Custom protocol handlers are by design a loophole to escape the browser sandbox.
There are many ways to exploit them, ranging from buffer overruns in parameter handling, over remote code execution when the parameters are not properly escaped, to simply DoS because the receiving application is overwhelmed with requests. Yes, maybe one can implement this correctly, and yes, I can also choose to not install the handler (which I would). It’s just that the flows for installing one are typically such that users aren’t made aware that they’re making a very fundamental trust decision.
-
A redirecting web service is an excellent and cheap opportunity to sneak in some tracking.
Sure, we’re the good people, so we would even turn off request logging (we would, right? right?), so it’s perhaps a little more obvious to folks that they’re making a decision to trust the domain of said service. Since we’re all about OSS and alternative implementations, how do you teach people that they should really not trust any other domain?
-
Any webpage can send a custom-protocol redirect (composes with 1.).
Ya, well, just make the browser ask me every time. But oh well, convenience…