Re: Weather Dashboard Widget

[prev] [thread] [next] [lurker] [Date index for 2005/05/20]

From: peter (Peter da Silva)
Subject: Re: Weather Dashboard Widget
Date: 22:29 on 20 May 2005
> * and of course security
> 
> See, here: http://earthlingsoft.net/ssp/blog/2005/05/x4_dashboard

Dashboard doesn't have any real security problems that I know of. I'm quite
impressed by that, I was afraid that they would put a lot of support for it
in Webkit, but instead they seem to be using something like I/O slaves to
insert the extra functionality into Webcore ONLY when Dashboard itself is
running the widget.

Yeh, the sandbox in Dashboard doesn't work worth a damn, but Dashboard
is just an application environment, it doesn't need a sandbox any more
than iTunes, the Screen Saver manager, or any application that uses Audio
Units does. Just because it uses HTML and Webcore, that doesn't mean it's
sandboxed, that shouldn't mean it's sandboxed, and that can't mean it's
sandboxed... because a sandbox with a hole in it isn't a sandbox, and the
whole point to Dashboard is that it's a hole in a sandbox.

There is a security problem, but it's not in Dashboard, it's in Safari.
It's a combination of an old design flaw, the idea that it's OK for Safari
to pass untrusted objects on to unsandboxed apps, and the erroneous
identification of Dashboard as a sandboxed app. And that security problem
is still there.. but it's <i>not</i> in Dashbaord.

There's stuff above here

Generated at 10:00 on 23 May 2005 by mariachi 0.52