Tuesday, January 14, 2020 [Tweets] [Favorites]

The Security of Safari Extensions

Jeff Johnson:

Every Safari extension that runs JavaScript — in other words, almost every Safari extension — will have these same warnings, so what are users supposed to do with the warnings? Avoid Safari extensions entirely? Then why does Apple provide a developer API for Safari extensions, if they aren’t meant to be used? Why are Safari extensions available in the Mac App Store? Why does Apple advertise that they’re available in the Mac App Store? You get the feeling that different teams within Apple are not on the same page here, and they’re giving unhelpful mixed messages to users.


In general, my view is that you shouldn’t install software on your Mac unless you trust the developer. You can’t rely on the system to protect you from malicious software, because there are always vulnerabilities and ways to get around the system.

It’s a recurring theme. Without the scary warning, Apple gets blamed for any problems. With the warning, developers blame Apple for scaring customers away from their products, and if anything bad happens everyone blames the customer for ignoring the warning that they had no way to evaluate.



Kevin Schumacher

I realize this is not the focus of the article here, but did he need to spend half a paragraph first claiming his restricted license Safari extension is "open source"* but since it's copyrighted** it would be "very illegal" to distribute it and he will "prosecute violations with extreme prejudice"***?

There's so much wrong with just that paragraph that it makes me question why anybody's bothering to listen to anything else he has to say. (Yeah, he's not wrong about the rest of it, but it's still curious.)

* It's not, it's visible source due to the nature of JavaScript and app bundles.
** Nearly all software is, including most open source; the license dictates what rights you have, and you don't have any rights for his software aside from running it yourself.
*** Extremely unlikely unless he makes a lot more from it than he lets on, given the cost of a copyright lawsuit, even from the plaintiff's side.

Kevin, it shouldn't be surprising that I'm worried about people appropriating my source code after I told everyone exactly where to find it. Your comment is bad, and you should feel bad.

Kevin should not feel bad, Jeff. I appreciate that you are protective of your source code, but that paragraph in your essay reads as oddly aggressive and needlessly distracts from the point you're making, and wouldn't be necessary in the first place if you didn't initially claim that your code was open source, which, as Kevin points out, it is only if one uses a definition of "open source" that is very different from most people's.

Saying that "JavaScript that gets loaded into web pages is open source" just isn't true. Also, saying something along the lines of "my code is copyrighted, so distributing it without permission is illegal" is also an odd thing to say, since all code, including open-sourced code, is copyrighted (with some small exceptions in some specific countries). Open-source licenses depend on copyright laws; they would not be enforcable if the code they cover wasn't copyrighted.

And finally, code theft isn't an actual problem to begin with, since a product's existing, written code represents only a tiny portion of that product's value. It just doesn't make sense to steal other people's code, apart from very specific situations (typically, when code theft occurs, the intention is not to sell it, but to do something like analyze it to find security issues).

To be clear, you should *also* not feel bad. Your article makes an important point, and I appreciate that you wrote it.

Lukas, it's ok if you found the paragraph a little distracting — I did intend it to be somewhat aggressive — and I appreciate that you said "Your article makes an important point", but keep in mind that Kevin said "it makes me question why anybody's bothering to listen to anything else he has to say", which is a ridiculously exaggerated criticism. I literally said "open source, in a sense". In other words, to be interpreted very broadly. I find it overly pedantic to argue whether I should have said "open source" or "visible source".

I disagree strongly that code theft isn't an actual problem. Over my career I've seen many instances of it, including in the App Store. Some violations have been reported to Apple, but Apple doesn't care about anyone's intellectual property but their own. Even when there's an open source projects with a quite permissive license, requiring only attribution, developers *still* violate those licenses.

Sure, open source licenses are violated all the time, but that's almost always a result of ignorance, not malice. People use open-source code in their apps under the assumption that they are using the code as intended by the developer or license holder. That's quite different from stealing somebody's commercially licensed code.

I'm sure there are examples of people actually stealing somebody else's commercial code and selling an application based on that code as their own, but it's rare enough that I can't think of a single instance. Maybe Silicon Knights? But even that is kind of a grey area. Code per se generally has very little value. The value is in the ability to maintain the code, and to legally own and sell products based on it.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment