Disabling the url popups is confusing and a security threat / Your browser is being managed by your organization

[ts-korhonen]

I was surprised to find that all my browsers are "managed by my organization" on my home computer not connected to any domain. Looking into it I found it's caused by a policy to skip a security feature (popup) on Weasis protocol URLs.

This is concerning for many reasons:

• The popup is a security feature to protect the user. If a vulnerability was found in Weasis, a malicious party could utilize it without the user noticing. The popup would at least alert the user if a malicious site wanted to open something in Weasis.
• It's abusing a feature that is meant for enterprises and other organizations to control what sites are blocked and allowed for users.
• The entry with hard-coded name "787" could very well override an existing entry with unknown consequences.
• The installer does something unexpected by modifying other products (Edge, Chrome, Firefox, ...) registry entries which is not common practice.
• It's not communicated to the user that this is happening and that they should expect to see a warning in their browser settings. The warning is not at all obvious since a feature meant for organization policies is instead used by a software they installed. This has already caused confusion and misdirected error reports as pointed out in a comment that was seemingly ignored due to a technicality.

Warning on Firefox:

Warnings on Chrome:

I don't think the popup is that much of a problem and it seems that no other common application does this kind of thing - maybe Weasis shouldn't neither?

[nroduit]

Thanks for the detailed report — you’re absolutely right to flag this. The registry and policy changes you’ve observed were originally introduced as a workaround for issues in certain deployment environments. They were intended to address a specific use case but may no longer be necessary for standard, single-user installations. As you noted, they also introduce some unwanted side effects and security/UX concerns.

At the moment, we’re in an inconsistent state: some builds include the policy modification, while others don’t. That inconsistency is confusing and not acceptable. We should standardize our deployments by removing policy management from the default installer flow and instead provide an official enterprise deployment guide (GPO/MDM configuration) for administrators who need those settings.