|url||The URL to open.|
Opens the URL specified, subject to the permissions and limitations of your app’s current platform and environment. This is handled in different ways depending on the nature of the URL, and with different security restrictions, depending on the runtime platform.
Note: This method can be used to open more than just web pages, so it has important security implications you must be aware of.
Most commonly, this method is used to open HTTP (web page) URLs. If you provide a web page address as the parameter for this method, the web page is opened in the default browser. It will also bring the browser application to the front.
As well as the HTTP protocol used for web page addresses, there are other types of protocol that you can use in a URL such as file transfer (FTP), email (mailto), database access (JDBC), as well as many others which may be specific to certain platforms. On some platforms you can use OpenURL in Unity to do many different types of task.
For this reason, the OpenURL command can be unexpectedly powerful. On some platforms it is able to open local files, run commands, or open connections over any protocol that the platform and security sandbox supports.
The OpenURL method runs with the same permissions as your app itself. For example if your app is running as a WebGL player in a desktop web browser, it will not be able to access local files on the machine, because the WebGL platform itself runs inside a security sandbox which prevents that. If you are targeting other platforms such as standalone EXE app, your app runs with fewer security restrictions and no security sandbox, so this method is more powerful.
Therefore, you must be extremely careful that you do not provide a string to this function which could possibly be maliciously crafted or modified by a 3rd party.
On standalone platforms, you should consider this method to have similar security implications as an eval type function, present in many other programming languages.
If your app uses OpenURL to open URL strings which come from a 3rd party, or which are put together using any user-supplied data, the user-supplied data should be considered untrusted and may be used to run arbitrary code under the same permissions of your app itself. You must sanitise the untrusted data and validate that it is the expected input for your application.
Android: Due security changes in Android 7.0 (More information), Application.OpenURL can no longer be used for opening local app files, you need to use FileProvider which allows you to share files with other applications.
iOS: Application.OpenURL cannot be used for opening local files.