Return to Floodgap Software
Notice: This program is currently
PowerPC only and will not work with Lion 10.7
or any later version of Mac OS X.
SandboxSafari
Flash and Java can't be trusted in today's Web environment, especially on
vintage Power Macs where they haven't been updated in years and are
already known to be exploitable. The safest option is to run them on
something else.
If you're smart, you're running Floodgap's own TenFourFox on your Power Mac already, which
blocks plugins like Flash and certain other kinds of unsafe content, and
fortunately many sites are moving to open HTML5 technologies which TenFourFox
supports. But there are
unfortunately videos and games people still want to watch and interact with
despite the risk of attack that rely on plugins like Flash and Java, and
sometimes it's not convenient or possible to run them on a separate computer.
In that case, SandboxSafari gives you a safer option -- not safe, just
safer. SandboxSafari is not a
completely safe or isolated way to run untrusted code like the Flash plugin
or Flash applets. However, because it has a limited browsing context and
reduced privileges, it can prevent many attacks from succeeding on
your computer and diminish the security risk of these types of sites.
Read this entire page before you use SandboxSafari.
How SandboxSafari works
SandboxSafari works by creating a separate
WebKit context (the same web engine used
by Safari) in a different process
that has very limited functionality and runs as an unprivileged
user (in this case, nobody). This means it runs outside of your
normal browser -- it is in fact intentionally limited so it can't be
your normal browser -- and has reduced access to the operating system and your
files, making it more difficult for a malicious web page or applet (or
hijacked plugin or browser component) to
subvert your system or install software without your permission.
SandboxSafari is designed to work in concert with another browser or tool that
feeds it web URLs through Launch Services. Currently, it includes an add-on for
TenFourFox that will let you right-click on a link or any open space on a
page, and send that URL to SandboxSafari. SandboxSafari will automatically
pop open to that page. When you're done using the applet, watching the video
or so on, close SandboxSafari's window to quit the application
and you'll go back to where you were.
What SandboxSafari can't do ... on purpose
SandboxSafari does not let you type in web locations. Only Launch Services
can give it a URL to browse, so you have to connect it to something (like
the included add-on for TenFourFox). There is no
browser chrome and no navigation buttons,
though if you need to back up or copy/paste, there is a
right-click context menu available.
SandboxSafari may let you log into certain sites, but it will not remember
them from session to session (in fact, it can't; see below), and the
controlling browser can't pass it security credentials either. You should
avoid typing passwords into it, though, and especially ones with high security
(see below).
SandboxSafari does not allow multiple tabs or windows. There is only one
window, with only one website at a time,
and when you close it SandboxSafari shuts down. This means you won't
have to keep track of multiple windows which could be doing multiple bad
things.
What you shouldn't do with SandboxSafari
Never enter bank passwords or other high-security information into
anything while
SandboxSafari is running. Some kinds of input methods a hijacked/malicious
plugin can invoke might temporarily
capture all of your keyboard input, even if you don't type it into
SandboxSafari.
In fact, as a general rule,
don't put SandboxSafari into the background. I mean, you can, and
the app won't stop you, but it's designed to launch quickly and it's better
if it only runs if it has to. Quit it if you're not going to use what's
there; don't just switch applications. It'll pop up right away if you need
to go back.
Above all, avoid running SandboxSafari if you possibly can. Just
because it's safer doesn't mean it's safe. TenFourFox does a pretty good
job on many sites, even if I do say so myself, and is significantly better
tested and more secure. I bet you'll find you don't actually have to use
SandboxSafari most of the time to get what you want.
What SandboxSafari can't prevent
Although it can't write
files very easily (except temporary files, which the
operating system will clean up), currently
SandboxSafari can't prevent a hijacked/malicious
plugin or browser component from reading files
unless those files have their permissions set to be unreadable to other users.
(This might mean browser cache or other files, too.)
Network traffic is generally not limited. Although it cannot interfere with
existing traffic or services on your computer, a malicious
applet can temporarily set up its
own network connections to try to "phone home" though
they will terminate when SandboxSafari does. A tool like Little Snitch can
alert you to this possibility.
It may be possible for a hijacked/malicious plugin to draw content that can
fool you into entering your secure data into it, like a password prompt that
resembles the operating system. This is another reason you should not type
high-security passwords into your computer while SandboxSafari is running.
Known issues and problems
These issues mostly proceed from the fact that SandboxSafari doesn't run as
you. As a result, there's not a lot that it can do about them either.
-
SandboxSafari can't remember its window size or location. It pops up with
the same size in the same place, each time. In fact, it can't remember
settings of any sort, including passwords and cookies, after you quit
it.
-
SandboxSafari cannot be force-quit (because it's not running as you, so
you're not allowed). If you
cannot quit it from its application menu or with Command-Q, or by closing
its single window, you can kill it
from the Activity Monitor (you'll need to enter an administrator password,
and you may need to select Other User Processes to see it).
-
SandboxSafari may not be able to cache content as well, meaning some pages and
videos may be slower than usual.
-
Although the context menu may offer you a download link, it won't do anything.
-
Depending on how your computer is configured, the plugin may not be able to
access your webcam or other devices, but this is probably what you want anyway.
-
By default, 10.4 and 10.5 systems may not be able to access certain HTTPS
resources. Leopard
Webkit includes an updated security framework which can help fix this,
but that's only an option for 10.5. If you get a blank page which loaded
fine in TenFourFox, that's probably why.
Finally: how to install
So, that didn't scare you off?
- Remember: You use this tool at your own risk. It
will reduce the security of your computer, may expose you to
data theft, and may make your system less stable.
- Remember also: Bug reports are
not accepted unless you have a patch to fix it. The only exception
is to report a security issue over and above the multitude it already has;
all other alleged bugs are subject to this policy. If you send a
report without a fix, it will be ignored, and the reason is because this is
a hack to reduce the exposure surface of obsolete, broken software. Problems
should therefore be expected. If this isn't good enough for you, or you're
having problems and you can't be bothered to figure out why and how to
repair it, don't use SandboxSafari.
- Optional:
It is recommended, though not required, that you update your WebKit
framework (TenFourKit
for 10.4 or Leopard WebKit
for 10.5 are recommended)
and make sure you are using the most current versions of Flash,
Java, etc. available before using SandboxSafari. If you want to
upgrade them after the fact, be sure SandboxSafari is not running when you do.
SandboxSafari uses the versions of WebKit and Flash/Java/other plugins you
have installed on the system.
- Download the dmg (below), unzip it and mount it.
- Drag SandboxSafari.app to your /Applications folder.
You must install it in /Applications. It will not work in any
other location.
- Run SandboxSafari Installer.app. This doesn't actually install
the app; it just patches it up to run. You will need to enter an administrator
password to correctly set its permissions. If you don't do this, SandboxSafari
will refuse to start and give you an error message if it can't drop privileges.
- If you like, doubleclick the installed SandboxSafari.app to
test it. Assuming you don't get an error, an informational page will appear.
Congratulations. Now quit it before you forget.
- Optional: If you use TenFourFox, and you should, drag
Enabler.xpi to the desktop to copy it,
then drag the desktop copy to any open TenFourFox window to install the
SandboxSafari Enabler in the browser. No restart is required. You can then
right-click on any link, or an open area of the current page, to send that
URL to SandboxSafari (and, if desired, close that tab at the same time).
Just select it from the pop-up menu that appears, and SandboxSafari will
start if necessary and display the URL. (TenFourFox 38.0 or higher is
supported; previous versions of TenFourFox may or may not work.)
Download the package
Zipped disk image (432K). The current
version only supports PowerPC, 10.4 or 10.5. Intel Macs and 10.6+ are not
yet supported.
See our developer page to download source code and
check current issues of interest.
SandboxSafari is provided to you under the terms of the
Floodgap Free Software License.
Changelog
Cameron Kaiser