C# Open web page in default browser with post data
The Dropbox client does it the same ways as you mentioned in your EDIT. But it also does some obfuscation, i.e. it XORs the data with the hash submitted via the URL.
Here are the steps how Dropbox does it:
- in-app: Create a token that can be used to authorize at dropbox.com.
- in-app: Convert token to hex string (A).
- in-app: Create a secure random hex string (B) of the same length.
- in-app: Calculate C = A XOr B.
- in-app: Create temporary HTML file with the following functionality:
- A hidden input field which contains value B.
- A submit form with hidden input fields necessary for login to dropbox.com.
- A JS function that reads the hash from URI, XORs it with B and writes the result to the submit forms hidden fields.
- Delete hash from URI.
- Submit form.
- in-app: Open the temporary HTML file with the standard browser and add C as hash to the end of the URI.
Now if your browser opens the HTML file it calculates the auth token from the hidden input field and the hash in the URI and opens dropbox.com. And because of Point 5.4. you are not able to hit the back button in your browser to login again because the hash is gone.