Thank you for helping us improve the quality of Unity Documentation. Although we cannot accept all submissions, we do read each suggested change from our users and will make updates where applicable.Close
For some reason your suggested change could not be submitted. Please <a>try again</a> in a few minutes. And thank you for taking the time to help us improve the quality of Unity Documentation.Close
Opens the URL specified, subject to the permissions and limitations of your app’s current platform and environment. This is handled in different ways depending on the nature of the URL, and with different security restrictions, depending on the runtime platform.
Note: This method can be used to open more than just web pages, so it has important security implications you must be aware of.
Most commonly, this method is used to open HTTP (web page) URLs. If you provide a web page address as the parameter for this method, the web page is opened in the default browser. It will also bring the browser application to the front.
As well as the HTTP protocol used for web page addresses, there are other types of protocol that you can use in a URL such as file transfer (FTP), email (mailto), database access (JDBC), as well as many others which may be specific to certain platforms. On some platforms you can use OpenURL in Unity to do many different types of task.
For this reason, the OpenURL command can be unexpectedly powerful. On some platforms it is able to open local files, run commands, or open connections over any protocol that the platform and security sandbox supports.
The OpenURL method runs with the same permissions as your app itself. For example if your app is running as a WebGL player in a desktop web browser, it will not be able to access local files on the machine, because the WebGL platform itself runs inside a security sandbox which prevents that. If you are targeting other platforms such as standalone EXE app, your app runs with fewer security restrictions and no security sandbox, so this method is more powerful.
Therefore, you must be extremely careful that you do not provide a string to this function which could possibly be maliciously crafted or modified by a 3rd party.
On standalone platforms, you should consider this method to have similar security implications as an eval type function, present in many other programming languages.
If your app uses OpenURL to open URL strings which come from a 3rd party, or which are put together using any user-supplied data, the user-supplied data should be considered untrusted and may be used to run arbitrary code under the same permissions of your app itself.
Did you find this page useful? Please give it a rating: