Lab Notes

Musings on Wi-Fi security issues, our product plans, and the general state of the world. Follow up with your comments and complaints to Lab Notes's .

Safari and Auto-Installed Widgets

One of the pretty new features of Tiger is Dashboard, a Konfabulator clone. In a misguided effort to make Dashboard widgets easy to install, Apple added support for a new "meta" tag in Safari that automatically downloads and installs widgets without any user intervention. The second half of that line bears repeating:

automatically downloads and installs widgets without any user intervention

What on Earth were they thinking? Between the Safari and Dashboard teams at Apple, dozens of people must have seen and known about this little "feature" before it shipped, and not one of them raised a red flag? This is the exact kind of security hole that has gotten Microsoft into hot water on multiple occasions.

It gets worse: once the widget has been installed, there is no way to uninstall it, according to Apple's documentation, which says "You cannot remove widgets from the Widget Bar or change their order." Thankfully, this is not true, as you can manually remove the widget by deleting its file from your Library/Widgets directory.

Mike Jackson has suggested a good work-around on Macintouch: changing the permissions of your widgets directory to read only. From Terminal.app, run the following command:

chmod 0550 ~/Library/Widgets/

With this change in place, Safari will download widgets to the desktop allowing you to install them manually later.

By Periodik Labs on May 9, 2005 9:33 AM | Permalink

Lab Notes

Safari and Auto-Installed Widgets

Search

Recent Entries

Monthly Archives