@rschnekenbu "secondary window" has a technical meaning in Theia. From the the context, I suspect you mean a "new Theia window"?

@rschnekenbu it's not clear to me what is actually happening. Do you have steps to reproduce?

Because if I type a https link in an editor (https://github.com) and ctrl-click it, opens in the browser.

Hi @tsmaeder,

Within Electron apps, external links are best opened in the system's browser instead of another Electron window. See for example this code which is necessary just to open a link outside of Electron: https://github.com/eclipse-theia/theia-blueprint/blob/bfa92d03e9bf6f572e4410066e856883df5b011f/theia-extensions/product/src/browser/branding-util.tsx#L20-L33

If one renders a normal <a href to some domain, Theia by default will open another Electron window and render it there. It's usually not recommended to do that as the user could navigate to any page then and might visit or be lead to malicious sites which could exploit the "older" Electron Browser.

Typically Electron apps are configured so that any link opens the system's browser and only selected whitelisted ones are allowed to be opened in another Electron window.

I'm just not very sure this is a good idea: I know VS Code does it here, but on the other hand, the electron security doc explicitly warns against it. Enabling opening random links sounds like handing the adopters a big gun to shoot themselves in the foot with. @msujew any input on this one?

@tsmaeder IMO it would be fine to at least open this up to open all http(s) links via the OS's shell. Maybe show a warning for everything else? I.e. "the application has requested to open <url>. Are you sure you want to open this link using your operating system?". Looking at some of the other Electron software I have on my PC, it seems like everyone just disregards the Electron security advice (especially Microsoft, which is the largest contributor to Electron). MS Teams, VS Code, Slack, etc all just open http links in the browser without hesitation.