when launching published content from receiver 4.6 onward versions, we get error :"Only Http and Https Urls can be opened".

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Create registry key on the client machine :

For unsafe URLs, you can only open it by applying one of the following settings:

1. Registry key PATH: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Dazzle NAME: PublishUnsafeContent VALUE: true, Reg Type : REG_SZ, and

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\Dazzle NAME: PublishUnsafeContent VALUE: true, Reg Type : REG_SZ

OR


2. Group policy Citrix Receiver > SelfService > Allow/Prevents user to publish unsafe content and run gpupdate /force.
3. Restart receiver.

---

Problem Cause

Remote Code Execution through published content .
 
A malicious Storefront can publish arbitrary URLs as published content.  Published content appears as an icon in RfWeb and is indistinguishable from any other item.



RfWin implements this feature via a shellexecute call - allowing a malicious storefront to run arbitrary code on the client without prompts or policy control; it can even supply a UNC path and RfWin will use AuthManager to auth

On launching an application published as a URL (Content) coming from XA 6.5 through receiver 4.6 and 4.7 getting error " Unable to open the Url :C:\Program Files (x86) [.....] Only Http and Https Urls can be opened."