Hey, we had some discussion in the channel, one thing that IMHO should be allowed (and @jdstrand was kinda agreeing from a security point of view) was to use the (trusted) filemanager as if it’s the browser, then leaving to the user the choice weather to open or not a file.
My idea was to apply this to just file:// where the pointed path is a directory, as it does firefox when you ask to open the container folder or Telegram too.
However, I think we could just expand this role by using the org.freedesktop.FileManager1 interface to all the files.
So basically when a file:///any/path/to/file.ext is sent to xdg-open we can just call the Filemanager’s ShowFolders method: if the pointed file is a folder, it will be just opened for browsing. If it’s a regular file, the containing folder will be opened and the file only selected. So, the snap itself won’t have any power to launch anything else.
The only thing that will happen is a dbus call, that might eventually open the filemanager implementing that interface (say nautilus).
So something like for a dir:
gdbus call --session --dest org.freedesktop.FileManager1 \
--object-path /org/freedesktop/FileManager1 \
--method org.freedesktop.FileManager1.ShowFolders \
"[\"file://$(xdg-user-dir PICTURES)\"]" ""
And this how it works for a file:
gdbus call --session --dest org.freedesktop.FileManager1 \
--object-path /org/freedesktop/FileManager1 \
--method org.freedesktop.FileManager1.ShowFolders \
'["file:///var/lib/snapd/state.json"]' ""
And this will work without portals, even for apps that won’t use it.