|
|
What are Safe Files?
|
|
|
Safari use several factors when you want to download something; the file extension, MIME type, and even what's inside the file. Files such as pictures, movies, sounds, text files, PDF documents, disk images, and ZIP archives are usually considered safe. Mac OS X 10.4 also offers protection against double file extensions (.exe.zip) and other tricks used to hide malicious content.
|
|
|
Other kinds of files may not be safe. Applications, scripts, webarchives, and archives that contain applications or scripts have the potential to do harm. Of course, not all such files are unsafe, but you should exercise caution when opening any such downloaded file.
|
|
|
When Safari is about to download a file or application that it doesn't consider "safe," it'll display this warning:
|
|
|
"The safety of this file cannot be determined. Are you sure you want to download file name?"
|
"Are you sure you want to download the application name?"
|
|
|
You can then either continue to download the file or stop it.
|
|
|
Enabling Open Safe Files In Safari
|
|
|
In Safari, you can modify if "safe" files are automatically opened after being download. To modify this setting open up
Preferences
command from the
Safari
menu:
|
|
|
|
|
|
|
Then select the
General
pane, and select or deselect the
Open "safe" files after downloading
setting.
|
|
|
|
|
|
|
This allows you to automatically open safe files after download that are defined as safe by Safari, but you couldn't easily add or modify opening downloaded files like in browser Firefox.
|
|
|
|
|
|
|
While currently there isn't direct support in Safari to add or modify safe files there are other options noted below.
|
|
|
Old Solution - AppleScript Folder Action
|
|
|
One workaround to automatically opening downloaded files with Safari that aren't considered "safe", was to use AppleScript Folder Action. It automatically opens "safe" files after you download or copy them to the designated folder.
|
|
|
For example, I administrate about 50 kiosks in our library. Our kiossk don't load Finder or the Dock and we restrict anonymous access to library resources using a open source proxy server, privoxy <
www.privoxy.org.> The issue we ran into originally, was that we have many database that are only accessible using citrix, and the download ica file wouldn't automatically be open. So, our users couldn't access the database using citrix on the kiosks, until we implemented the following AppleScript Folder Action:
|
|
|
property
auto_open_list
: {"ica"}
|
|
|
on
adding folder items to
this_folder
after receiving
these_items
|
try
|
repeat
with
i
from
1
to
number
of
items
in
these_items
|
set
this_item
to
item
i
of
these_items
set
this_item
to
item
i
of
these_items
set
the
item_info
to
the
info for
this_item
if
(the
name extension
of
the
item_info
is
in
the
auto_open_list)
then
|
tell
application
"Finder"
|
openthis_item
|
end
tell
|
end
if
|
end
repeat
|
on
error
error_message
number
error_number
|
if
the
error_number
is
not
-128
then
|
tell
application
"Finder"
|
activate
|
display dialog
error_message
buttons {"Cancel"} default button 1 giving up after 120
|
end
tell
|
end
if
|
end
try
|
end adding folder items to
|
|
|
We set the Safari's download folder to the Desktop and set the folder action to this script. We can add file extensions to the
auto_open_list
if we wanted to auto open additional downloaded files, but we were only concerned with Citrix .ica files in our kiosk environment.
|
|
|
New Solution - Download Security Assessment
|
|
|
Mac OS X 10.4 ships with a system-wide default configuration for download security assessment, but each user can set up a configuration file that OVERRIDES the system defaults.
|
|
|
The user's configuration file is an XML property list file located in the user's Preferences folder and named
com.apple.DownloadAssessment.plist
(i.e. ~/Library/Preferences/com.apple.DownloadAssessment.plist).
|
|
|
Each top-level key in the plist dictionary names a "risk category". The risk categories determine what happens with a file when it is downloaded.
|
|
|
Here is a summary of the risk category keys to use in the configuration file:
|
|
|
LSRiskCategorySafe
|
Safe file types are auto-opened after download (if user enables auto-open in Safari).
|
|
|
LSRiskCategoryNeutral
|
Neutral files are not auto-opened, but also do not trigger a download warning. File types not put into another category by the system's default configuration are assumed to be neutral.
|
|
|
LSRiskCategoryUnsafeExecutable
|
This category is for any kind of executable program, binary, script, etc. In Mail/Safari, downloading a file in this category triggers a warning to the user ("This file is an applicatoion...").
|
|
|
LSRiskCategoryMayContainUnsafeExecutable
|
This category includes container formats such as archives and disk images. A user warning will be triggered unless Mail or Safari is able to examine the contents and determine that all the contained files are safe or neutral.
|
|
|
The value of each risk category key in the config file is a dictionary that describes the category's member file type(s). File types are preferably identified by uniform type identifiers, but when a uniform type identifier isn't available, filename extensions or MIME types can also be used.
|
|
|
The file type dictionary uses the following keys:
|
|
|
LSRiskCategoryContentTypes
|
Value is an array of uniform type identifiers
|
|
|
LSRiskCategoryExtensions
|
Value is an array of filename extensions
|
|
|
LSRiskCategoryMIMETypes
|
Value is an array of MIME types
|
|
|
Now, I think the best thing to do is give a some examples to illustrate how these keys are used.
|
|
|
Example 1 - Citrix ICA Files Safe
|
|
|
The following config file declares Citrix ICA files to be "safe". Since the uniform type identifier is used
(com.citrix.ICAClient.plist), any valid ICA Client extension or MIME type will be considered safe.
|
|
|
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http:// www.apple.comProperty-List-1.0.dtd">
<plist version="1.0">
<dict>
|
<key>LSRiskCategorySafe</key>
<dict>
|
<key>LSRiskCategoryContentTypes</key>
<array>
|
<string>com.citrix.ICAClient.plist</string>
|
</array>
|
</dict>
|
</dict>
</plist>
|
|
|
Example 2 - Files with extension foobar to be Unsafe
|
|
|
The following config file declares files with extension "foobar" to be "unsafe":
|
|
|
|
|
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http:// www.apple.com-PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
|
<key>LSRiskCategoryUnsafeExecutable</key>
<dict>
|
<key>LSRiskCategoryExtensions</key>
<array>
|
<string>foobar</string>
|
</array>
|
</dict>
|
</dict>
</plist>
|
|
|
Example 3 - Applications to be Neutral
|
|
|
This config file declares applications to be "neutral". It overrides the system config to avoid the warning alert that appears when downloading applications. Since the UTI for generic applications is used, the override applies to both application bundles and file-based (CFM) applications:
|
|
|
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http:// www.apple.com-PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
|
<key>LSRiskCategoryNeutral</key>
<dict>
|
<key>LSRiskCategoryContentTypes</key>>
<array>
|
<string>com.apple.application</string>
|
</array>
|
</dict>
|
</dict>
</plist>
|
