R3 Specification

The x-callback-url specification has been updated to R3, with the addition of a brief section on security concerns. Recommending security methods is beyond the scope of the specification, but I thought it was a good idea to be encouraging developers to at least consider the security implications of adding URL scheme actions to their apps.

URLs are inherently anonymous and subject to attacks using maliciously constructed URLs placed in emails, web pages, etc., and your apps should be ready for that possibility.

Comments on improve this section are welcome.


The xk-protocol is a new extension to x-callback-url built by Ben Slotznick and Stephen Sheetz at Point-and-Read. xk-protocol builds on x-callback-url with additional parameters to specify named pasteboards, and to target multiple interaction types in other apps.

xk-protocol is informed by Ben and Stephen’s work with Assistive Technologies and looks like a great project, looking forward to seeing it in action!

x-callback-url spec, R2 – new “x-cancel” parameter

We’ve gotten feedback that there are use cases for x-callback-url where the user is given the option to “cancel” the requested operation. Previous versions of the spec offered only parameters for success and error, so we added the “x-callback” parameter to the spec to support the case where the user wants to cancel and be returned to the source app. See the spec for details.

x-callback-url DRAFT, revision 1

Revision 1 of the x-callback-url draft is now posted.  Only a minor change, removing the “version” parameter from the URL path.  It was pointed out that having the version in the path served little purpose since a calling app had no way to determine which versions were or were not supported by a target app.

We are now recommending that if your x-callback-url API requires versioning, that it be done by registering different URL schemes with the iOS for each version and handling that internally. The example app on Github has been updated to reflect the change as well.