Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: brodhage <email@hidden>
- Date: Wed, 10 Feb 2016 21:17:01 +0100
May be I am wrong (or it is off-topic) - but is this (just) a Sparkle problem?
I have read "Vulnerable Security - There's a lot of vulnerable OS X applications out there" (https://vulnsec.com/2016/osx-apps-vulnerabilities/) - and if I got the idea then browsing the web is insecure.
Why? Because any application accessing web content via the WebView framework (Sparkle, Safari and many other apps) might allow to "launch special / default behaviour" (for example "file://" or "ftp://"; or Safari which starts iTunes if you click a link to any app store resources) and access to "unknows domains" ("other domains" or even worse included OS routines). Correct?
In my opinion, the solution (for the Sparkle problem and browsing the internet) would be to change the WebView framework itself:
1.) If a domain is accessed, then do not allow access to ANY other domain.
2.) If a web content (or included resources) tries to access "unusual" resources (like "file://" or "ftp://"; or "http://192.0..."; or whatever) then ask the user for confirmation.
This might not only fix the Sparkle problem, but would give us much more security. HTTP or HTTPS.
And it might stop all these (external) traffic analytics and ads we all do not want to join or see.
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden