Web Kit and security

Yesterday I started working with Web Kit. It’s so easy to get started. What a treat!

One thing I plan to do for NetNewsWire is to make sure JavaScript scripts and plugins and so on don’t run in NetNewsWire, at least by default.

Luckily, there’s an API for this in Web Kit—check out WebPreferences.h. There are methods for enabling and disabling JavaScript, Java, plugins, and even animated images.

Notice that you can have different sets of WebPreferences: you can set up preferences for just your application, so disabling JavaScript doesn’t disable it in Safari, for instance.

Why?

But why do all this? Why turn off JavaScript and Java and so on?

We don’t have experience with Web Kit yet; we don’t know what the security implications are of allowing scripts and plug-ins and so on to run. We can theorize, we can make some pretty good guesses, but we don’t really know, yet.

A least-dangerous example might be this: someone puts a JavaScript script in their RSS feed that causes new windows in NetNewsWire to open in a loop. This would be obnoxious, for sure, but it may not be damaging. Or it may, depending on how the app and the system deal with it. I don’t know.

That’s merely obnoxious (probably)—but are actual security exploits possible? You have to assume the worst.

I don’t want Mac OS X to become like Windows, where untrusted code seems to run all the time from all kinds of sources. (Windows has perhaps gotten better than its reputation; I don’t follow it that closely.)

So, to Mac developers, I’m not saying don’t use Web Kit. Use it. It’s super cool. I’m going to use it.

I’m just saying to pay attention to security, and turn off, at least by default, things like JavaScript.

And be glad that Web Kit allows you to turn off this stuff. It’s a very good thing. Thanks go to the Web Kit team.

29 Jun 2003

Archive