WebKit fun



All timestamps are based on your local time of:

Posted by: stak
Tags:
Posted on: 2010-12-17 00:22:52

So I decided to try to implement the cookie thing I posted about a few days ago. I grabbed a git clone of the WebKit source and built it on my Mac. After poking around for a bit, I found the relevant cookie jar code for the mac platform. Turns out the cookies are actually stored in a system-global singleton cookie jar on Mac OS X (Documentation link).

Well, that's kind of weird and unexpected. Does that mean every app running on my machine has access to my Safari cookies? Let's see... So I wrote a quick Objective-C test app to access the sharedHTTPCookieStorage, and sure enough, I could read out cookies that were set from Safari.

I'm not sure this is a security hole per se, since all apps running on my machine are supposed to be trusted. If there's anything malicious there then they can do worse than steal cookies. But still, to me this seems like a rather odd design decision. I guess it makes sense if you want to have a more unified experience for all apps across your platform. However it's interesting to note that on iOS, the cookies are not shared across applications. Maybe Apple decided that the potential cost wasn't worth the benefit?

Anyway, since I can't trivially change the WebKit cookie jar code, at least on the mac platform, I guess it's time to dive into Mozilla instead...

[ Add a new comment ]

 
 
(c) Kartikaya Gupta, 2004-2019. User comments owned by their respective posters. All rights reserved.
You are accessing this website via IPv4. Consider upgrading to IPv6!