rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs:
Host:
SMC Networks
Automotive
VOIP Tech Chat
ViaTalk
Teleblend
1 edit | reply to sporkme
Re: Widget Security
Yeah, widgets can be debugged/ran in Safari but they won't have their full capabilities. The widget object is specific to Dashboard and as such none of its methods or properties are valid in Safari, so they wouldn't work anyways. That includes widget.system() for executing system commands.
Testing if window.widget exists is just a matter of good programming practices, there's no reason to execute code if you know it's going to fail or produce unexpected results. |
|
bobrk
You kids get offa my lawn
Premium
join:2000-02-02
San Jose, CA | So it's sort of up to the Dashboard to do security duties?
--
bobrk |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs:
Host:
SMC Networks
Automotive
VOIP Tech Chat
ViaTalk
Teleblend
| said by bobrk  :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. |
|
jDyno
Premium
join:2001-02-20
Washington, DC
clubs:
| said by rjackson :said by bobrk :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. Tell that to my 60-year old mother, for whom I'll be updating her new iBook to Tiger in the coming weeks.
Hell, tell that to my 36-year old sister, who is a very computer-savvy graphic designer, but wouldn't know what the code meant if you forced her to read it like a EULA every time the widget launched!
It's just not practical, rjackson. Even for me, and I write webdev code for a living. It would be really easy to hide some nefarious stuff in benign-looking code. And tell me, have you opened every single Widget you downloaded before loading it and thoroughly examined every single line to make sure it doesn't do anything you don't expect? C'mon.
And at this point, I'm not even asking for anything too advanced from Dashboard or Automator. I just want even the barest programmatic protections against nefarious stuff, like explicitly telling me that an app requires System or Net access (the current warning is too vague and I even missed that it was asking for access to the SYSTEM, rather than just telling me I'm running something for the first time) and ALSO telling me in idiot terms, why I should care about this.
This isn't about protecting those that know better or can do things to protect themselves. Apple is getting more and more into an uneducated consumer space, and that's a good thing, so they need to do more to protect those that can't protect themselves.
--
Smart Marketing |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to rjackson
said by rjackson :said by bobrk :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. Eek! That sounds like something you'd overhear in the Windows Help forum.
--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it." |
|
