[prev] [thread] [next] [lurker] [Date index for 2005/05/20]
> * and of course security > > See, here: http://earthlingsoft.net/ssp/blog/2005/05/x4_dashboard Dashboard doesn't have any real security problems that I know of. I'm quite impressed by that, I was afraid that they would put a lot of support for it in Webkit, but instead they seem to be using something like I/O slaves to insert the extra functionality into Webcore ONLY when Dashboard itself is running the widget. Yeh, the sandbox in Dashboard doesn't work worth a damn, but Dashboard is just an application environment, it doesn't need a sandbox any more than iTunes, the Screen Saver manager, or any application that uses Audio Units does. Just because it uses HTML and Webcore, that doesn't mean it's sandboxed, that shouldn't mean it's sandboxed, and that can't mean it's sandboxed... because a sandbox with a hole in it isn't a sandbox, and the whole point to Dashboard is that it's a hole in a sandbox. There is a security problem, but it's not in Dashboard, it's in Safari. It's a combination of an old design flaw, the idea that it's OK for Safari to pass untrusted objects on to unsandboxed apps, and the erroneous identification of Dashboard as a sandboxed app. And that security problem is still there.. but it's <i>not</i> in Dashbaord.There's stuff above here
Generated at 10:00 on 23 May 2005 by mariachi 0.52