SandboxSafari

Flash and Java can't be trusted in today's Web environment, especially on vintage Power Macs where they haven't been updated in years and are already known to be exploitable. The safest option is to run them on something else.

If you're smart, you're running Floodgap's own TenFourFox on your Power Mac already, which blocks plugins like Flash and certain other kinds of unsafe content, and fortunately many sites are moving to open HTML5 technologies which TenFourFox supports. But there are unfortunately videos and games people still want to watch and interact with despite the risk of attack that rely on plugins like Flash and Java, and sometimes it's not convenient or possible to run them on a separate computer.

In that case, SandboxSafari gives you a safer option -- not safe, just safer. SandboxSafari is not a completely safe or isolated way to run untrusted code like the Flash plugin or Flash applets. However, because it has a limited browsing context and reduced privileges, it can prevent many attacks from succeeding on your computer and diminish the security risk of these types of sites.

Read this entire page before you use SandboxSafari.

How SandboxSafari works

SandboxSafari works by creating a separate WebKit context (the same web engine used by Safari) in a different process that has very limited functionality and runs as an unprivileged user (in this case, nobody). This means it runs outside of your normal browser -- it is in fact intentionally limited so it can't be your normal browser -- and has reduced access to the operating system and your files, making it more difficult for a malicious web page or applet (or hijacked plugin or browser component) to subvert your system or install software without your permission.

SandboxSafari is designed to work in concert with another browser or tool that feeds it web URLs through Launch Services. Currently, it includes an add-on for TenFourFox that will let you right-click on a link or any open space on a page, and send that URL to SandboxSafari. SandboxSafari will automatically pop open to that page. When you're done using the applet, watching the video or so on, close SandboxSafari's window to quit the application and you'll go back to where you were.

What SandboxSafari can't do ... on purpose

SandboxSafari does not let you type in web locations. Only Launch Services can give it a URL to browse, so you have to connect it to something (like the included add-on for TenFourFox). There is no browser chrome and no navigation buttons, though if you need to back up or copy/paste, there is a right-click context menu available.

SandboxSafari may let you log into certain sites, but it will not remember them from session to session (in fact, it can't; see below), and the controlling browser can't pass it security credentials either. You should avoid typing passwords into it, though, and especially ones with high security (see below).

SandboxSafari does not allow multiple tabs or windows. There is only one window, with only one website at a time, and when you close it SandboxSafari shuts down. This means you won't have to keep track of multiple windows which could be doing multiple bad things.

What you shouldn't do with SandboxSafari

Never enter bank passwords or other high-security information into anything while SandboxSafari is running. Some kinds of input methods a hijacked/malicious plugin can invoke might temporarily capture all of your keyboard input, even if you don't type it into SandboxSafari.

In fact, as a general rule, don't put SandboxSafari into the background. I mean, you can, and the app won't stop you, but it's designed to launch quickly and it's better if it only runs if it has to. Quit it if you're not going to use what's there; don't just switch applications. It'll pop up right away if you need to go back.

Above all, avoid running SandboxSafari if you possibly can. Just because it's safer doesn't mean it's safe. TenFourFox does a pretty good job on many sites, even if I do say so myself, and is significantly better tested and more secure. I bet you'll find you don't actually have to use SandboxSafari most of the time to get what you want.

What SandboxSafari can't prevent

Although it can't write files very easily (except temporary files, which the operating system will clean up), currently SandboxSafari can't prevent a hijacked/malicious plugin or browser component from reading files unless those files have their permissions set to be unreadable to other users. (This might mean browser cache or other files, too.)

Network traffic is generally not limited. Although it cannot interfere with existing traffic or services on your computer, a malicious applet can temporarily set up its own network connections to try to "phone home" though they will terminate when SandboxSafari does. A tool like Little Snitch can alert you to this possibility.

It may be possible for a hijacked/malicious plugin to draw content that can fool you into entering your secure data into it, like a password prompt that resembles the operating system. This is another reason you should not type high-security passwords into your computer while SandboxSafari is running.

Known issues and problems

These issues mostly proceed from the fact that SandboxSafari doesn't run as you. As a result, there's not a lot that it can do about them either.

SandboxSafari can't remember its window size or location. It pops up with the same size in the same place, each time. In fact, it can't remember settings of any sort, including passwords and cookies, after you quit it.
SandboxSafari cannot be force-quit (because it's not running as you, so you're not allowed). If you cannot quit it from its application menu or with Command-Q, or by closing its single window, you can kill it from the Activity Monitor (you'll need to enter an administrator password, and you may need to select Other User Processes to see it).
SandboxSafari may not be able to cache content as well, meaning some pages and videos may be slower than usual.
Although the context menu may offer you a download link, it won't do anything.
Depending on how your computer is configured, the plugin may not be able to access your webcam or other devices, but this is probably what you want anyway.
By default, 10.4 and 10.5 systems may not be able to access certain HTTPS resources. Leopard Webkit includes an updated security framework which can help fix this, but that's only an option for 10.5. If you get a blank page which loaded fine in TenFourFox, that's probably why.

Finally: how to install

So, that didn't scare you off?

Remember: You use this tool at your own risk. It will reduce the security of your computer, may expose you to data theft, and may make your system less stable.
Remember also: Bug reports are not accepted unless you have a patch to fix it. The only exception is to report a security issue over and above the multitude it already has; all other alleged bugs are subject to this policy. If you send a report without a fix, it will be ignored, and the reason is because this is a hack to reduce the exposure surface of obsolete, broken software. Problems should therefore be expected. If this isn't good enough for you, or you're having problems and you can't be bothered to figure out why and how to repair it, don't use SandboxSafari.
Optional: It is recommended, though not required, that you update your WebKit framework (TenFourKit for 10.4 or Leopard WebKit for 10.5 are recommended) and make sure you are using the most current versions of Flash, Java, etc. available before using SandboxSafari. If you want to upgrade them after the fact, be sure SandboxSafari is not running when you do. SandboxSafari uses the versions of WebKit and Flash/Java/other plugins you have installed on the system.
Download the dmg (below), unzip it and mount it.
Drag SandboxSafari.app to your /Applications folder. You must install it in /Applications. It will not work in any other location.
Run SandboxSafari Installer.app. This doesn't actually install the app; it just patches it up to run. You will need to enter an administrator password to correctly set its permissions. If you don't do this, SandboxSafari will refuse to start and give you an error message if it can't drop privileges.
If you like, doubleclick the installed SandboxSafari.app to test it. Assuming you don't get an error, an informational page will appear. Congratulations. Now quit it before you forget.
Optional: If you use TenFourFox, and you should, drag Enabler.xpi to the desktop to copy it, then drag the desktop copy to any open TenFourFox window to install the SandboxSafari Enabler in the browser. No restart is required. You can then right-click on any link, or an open area of the current page, to send that URL to SandboxSafari (and, if desired, close that tab at the same time). Just select it from the pop-up menu that appears, and SandboxSafari will start if necessary and display the URL. (TenFourFox 38.0 or higher is supported; previous versions of TenFourFox may or may not work.)

Download the package

Zipped disk image (432K). The current version only supports PowerPC, 10.4 or 10.5. Intel Macs and 10.6+ are not yet supported.

See our developer page to download source code and check current issues of interest.

SandboxSafari is provided to you under the terms of the Floodgap Free Software License.

Changelog

1.0 - initial release

Cameron Kaiser