Deeplinks not being handled on HTTP redirects. OAuth2 protocol broken for Android apps.
When a user wants to link an Android app to an external service through the OAuth2 protocol, the external service asks the user to log in on a web browser and click somewhere to confirm the app is authorized to access their data (between step 5 and 6 on the diagram).
To click somewhere usually translates into submitting a <form>
the response of which is an HTTP redirect with a URI that uses an Android deeplink scheme, like the following one:
HTTP/2 302 Found
cache-control: no-cache,no-cache, no-store
content-security-policy: sandbox
location: service-my_app_id://service_defined_string?oauth_token=oauth2code:&oauth_token_secret=BASE64_ENCODED_DATA&uid=0123456789&state=oauth2code%3ABASE64_ENCODED_DATA%3AS256%3Aparam1%20param2%20param3
Expand the rest of the response headers
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
content-type: text/html; charset=utf-8
date: Day, 00 Mon 0000 00:00:00 GMT
server: envoy
strict-transport-security: max-age=31536000; includeSubDomains
content-encoding: gzip
vary: Accept-Encoding
X-Firefox-Spdy: h2
This specific redirect works perfectly on Fennec F-Droid 95.2.0
(also based on Mozilla Fenix), and it used to work in older Android Tor Browser versions as well. However, when Tor Browser 10.5.10 (91.2.0-Release)
receives that redirect it does absolutely nothing.
When the user pastes the URI into Tor Browser's address bar it works too, but that is absolutely unfeasible as it would imply they are capable of extracting HTTP headers from a mobile browser in the first place.