Summary: The command, commonly used by desktop applications to open URLs in the default web browser, can bypass the SameSite=Strict cookie policy enforced by modern browsers. This occurs when a browser launches via and interprets the navigation as if the user manually typed the URL into the address bar, leading to the inclusion of SameSite=Strict cookies in the request. Security Impact: This behavior allows Cross-Site Request Forgery (CSRF) attacks to succeed when an email client or messaging tool uses to open a link, whereas the same link clicked directly in the browser would not send SameSite=Strict cookies. Recommendations: 1. Introduce an "untrusted" mode or flag in browser CLI tools for opening external URLs. 2. Extend to support passing this "untrusted" flag or context to the browser. 3. Modify desktop environments or applications to invoke with the "untrusted" option when appropriate. Current Status: Major browser vendors have been notified and are aware of the issue. Discussions are ongoing to determine an appropriate solution.