URL Scheme Security Link
Greg Pierce, the developer behind Drafts and the man behind the X-Callback URL specification:
As a creator and advocate of x-callback-URL, security implications have been something I’ve thought about and tried to draw attention to in talks I’ve done on the topic. In the zeal to encourage adoption I may not have done a good job of reminding other developers to keep security in mind planning their URL schemes.
I’ve always been impressed with Greg’s implementation in Drafts. It’s the only app with a setting to allow the URL scheme to trigger actions and it’s off by default.
Don’t skip Guillaume’s original piece.