Friday, July 17, 2015 [Tweets] [Favorites]

Security-Scoped Bookmarks and .webarchive Files

Matthias Gansrigler:

The bug itself is described fairly easily. You have a .webarchive file you’d like to move using Yoink. So you drag it onto the app and then move it from Yoink to the actual destination. Business as usual.

Only that now, instead of opening the webarchive in your standard browser when double-clicked, above’s warning is shown.

[…]

There are two ways a security-scoped bookmark can be created – either with read and write access, or read-access only (NSURLBookmarkCreationWithSecurityScope or it plus NSURLBookmarkCreationSecurityScopeAllowOnlyReadAccess).

I don’t know why this causes the issue, but changing the bookmark creation options from read and write access to read-access only fixed the issue (and moving the file is still possible with Yoink). It definitely looks like a sandbox bug to me.

Why should an app-internal bookmark (mind you, it’s only a reference to a file, not the file itself, created from an NSURL object) write to and change the webarchive’s file so that it a) can’t be opened anymore and b) shows the bookmark-creating-app as its creator?

Minor correction: all the .webarchive files I’ve seen are binary property lists, not bundles.

1 Comment

[…] .webarchive files are¬†binary property lists (thank you, Michael Tsai¬†(@mjtsai on twitter) for the correction), I tried other property list files (for example, .plist files), but none exhibited the same […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment