Solved URL Shortcut dragged to desktop is blocked by default

joeduffus

We should probably continue this discussion on that other thread (which I created!) to avoid clogging this one.

DoctorG

@joeduffus
Dev said:

It's definitively not as easy as to just add a \n at the end of the url.

DoctorG

@joeduffus Then report the first post by 3-dots-button to be split by a mod.

joeduffus

@DoctorG Hmm.

Yet, if I manually edit the file on my desktop, replacing the LF line ending on the first line of the file and adding a carriage return linefeed character pair to the end of the url itself and save the file, it opens without a problem in Vivaldi.

DoctorG

@joeduffus Yes, i know this and such change helps.
I wanted to communicate what the dev had said.

joeduffus

I appreciate that. Thank you. As they say, it always seems easy to the man who doesn't have to do it himself.

For myself, I found on here somewhere a little batch file that finds all the .url files in the desktop folder and tics off the security flag and I run that periodically. That, too, fixes the problem. But it still seems like it should be addressed.

DoctorG

@joeduffus said in URL Shortcut dragged to desktop is blocked by default:

For myself, I found on here somewhere a little batch file that finds all the .url files in the desktop folder and tics off the security flag and I run that periodically. That, too, fixes the problem.

Would be kind to share the batch file!
Please post the code in </> button here.

Pathduck

@joeduffus It's true and a bit strange that Vivaldi for some reason saves .url files in Unix format (LF) while other browser saves in Windows format (CR/LF), and Vivaldi should probably change that.

For me both Unix and Windows format .url files open just fine in Vivaldi and no warning. In fact I can't remember to have ever seen that warning dialog since the Win7 days. Or maybe it's some sort of enhanced security policy setting, possibly for corporate environments? What is your OS?

Another strange thing is the Name and Type in the dialog. It says "Unknown File Type" while such a file should be "Internet Shortcut (.url)". Is the file extension actually .url for that file? If there is no extension (ending with _url) then at least that would explain the Type message.

Mine look like this when saved:

I don't get the warning myself so I can't check if the missing file Type is just some quirk of the dialog or not.

joeduffus

@DoctorG This is the batch file:

@echo on
for %%a in (*.url) do call :fixit "%%a"
goto :eof

:fixit
set b="%~n1.bak"
copy %1 %b%
type %b% > %1
del /q %b% >NUL
goto :eof

joeduffus

@Pathduck I am running Win10 Home edition, patched and updated fully.

Edition Windows 10 Home
Version 21H2
Installed on ‎8/‎11/‎2020
OS build 19044.1741
Experience Windows Feature Experience Pack 120.2212.4180.0

The issue from Vivaldi is that the "Unblock" option on the General tab must be ticked for the shortcut to open without the challenge. The batch file I just posted will, after it is run, remove that security section (beneath "Attributes") completely from the General tab.

Either approach will work -- editing the actual .URL file to add the CR/LF characters to both lines of the file or unblocking the shortcut through the batch file or manually editing the properties. But ther proof of the pudding for me is that these steps only need to be done when the .URL file was created from Vivaldi, and not when done by another Chromium browser running on the same computer.

iAN CooG

@joeduffus yep cough it's me who did it cough
from here https://forum.vivaldi.net/topic/65993/can-t-open-url-files/7

Pathduck

@joeduffus I don't have that "Security" part in the properties for saved .url files at all.

A quick web search indicates this is probably set by Policy, including "NTFS alternate stream" data in files to mark them as "insecure". Not sure if it detects the difference between Unix/Windows format text files as well to mark "insecure".
https://www.thewindowsclub.com/file-came-from-another-computer-and-blocked
https://weblogs.asp.net/dixin/understanding-the-internet-file-blocking-and-unblocking

Apparently, the cmd file you have does a type of the file which strips out the alternate data stream.

A question because I'm curious:

• If you open the converted file in a good text editor does it show with CRLF line endings or is it still just LF?

Anyway, this does not change the fact that Vivaldi should save .url files like other browsers and save in the correct format for .url files (CRLF).

joeduffus

@Pathduck said in URL Shortcut dragged to desktop is blocked by default:

If you open the converted file in a good text editor does it show with CRLF line endings or is it still just LF?

It shows with a LF character at the end of the first line and nothing after the end of the URL on the second line. I use Notepad++ for things like this, and it has a conversion option to do that automatically, but I have that feature disabled.

joeduffus

@iAN-CooG Well thank you for that! Works great.

Pathduck

@joeduffus

It shows with a LF character at the end of the first line and nothing after the end of the URL on the second line.

I think this shows that whether the file uses CRLF or LF line endings is not the problem. The problem is Vivaldi for some reason inserting NTFS Alternate Data Stream data into the file. While other browsers do not... ?

A little more investigation into ADS, 'cause once I get started...

You can use dir /r to find if a file contains ADS:

04.06.2022  00:37               114 test2.url
                                 26 test2.url:Zone.Identifier:$DATA

I was able to recreate the same by adding Zone.Identifier data to the file in Powershell:

> Set-Content -Path .\test2.url -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'

> Get-Content -Path .\test2.url -stream Zone.Identifier
[ZoneTransfer]
ZoneId=3

ZoneId=3 means the "Internet" security zone and marks the file as "downloaded" and "insecure".
Source: https://superuser.com/questions/1342990/how-can-i-make-windows-think-a-file-came-from-another-computer

But again, none of my browsers here insert ADS data into url files, and no idea why only Vivaldi on your system seems to do it. If controlled by GPO it should be all browsers doing this.

joeduffus

@Pathduck said in URL Shortcut dragged to desktop is blocked by default:

But again, none of my browsers here insert ADS data into url files, and no idea why only Vivaldi on your system seems to do it. If controlled by GPO it should be all browsers doing this.

And that's why I've concluded it's a Vivaldi issue, rather than a Windows security setting Vivaldi is simply a victim of. I have Chrome, Edge, Edge (DEV), and Brave installed on the same machine and none of them has this problem with a dragged shortcut file.

Pathduck

@joeduffus Are you able to check if url files saved from other browsers contain ADS data? Using the dir /r or PS Get-Content examples I posted?

Also, are you able to check in GPEdit:
User Configuration > Administrative Templates > Windows Components > Attachment Manager
What the "Do not preserve zone information in file attachments" policy is set to?

Mine is set "Not Configured" which should mean the default is to not save zone info in downloads.

joeduffus

@Pathduck I created the shortcuts from Chrome, Edge(DEV), Brave, and Vivaldi, then copied them into a new folder on my desktop and ran the dir /r command.

Pathduck

@joeduffus OK so Vivaldi is the only one saving url files with ADS data. Really strange.

Have you set any Group Policies for Vivaldi? In Regedit, check:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies

If you open chrome://settings do you see a heading of "Your browser is managed by your organization"?

PS you know win CMD is just plain text right, you don't need to make an image, you can just copy the relevant text output and paste it

joeduffus

@Pathduck

1. Checked registry, and no, there's no entry for Vivaldi.
2. No. I do see that in Edge, but not Vivaldi. I think it relates to my anti-virus software (Webroot).
3. Yeah, I know, but pasting screen screen snips is more eye-catching.