App-Scoped vs. Document-Scoped Security-Scoped Bookmarks - macos

Quick Question:
I'm working on a document based application in OS X. Can I use an App-Scope bookmark to gain access to a file, or must it be a document-scope bookmark?
I understand that any app can use both of these, but I wasn't sure if perhaps the app-scope bookmark can't be accessed by a specific document of that app.
I initially implemented an app-based scope bookmark and when I attempt to startAccessing it, it always returns FALSE.
Wondering if I will need to change this to a Document-scope to get it to work.
Here's a link to my other question which shows the actual code:
Security Scoped Bookmark - startAccessing always returns FALSE and Resolved URL doesn't work
Thanks!

Related

What does startAccessingSecurityScopedResource() actually do?

I'm making a sandboxed Mac app, and I used NSOpenPanel to get a file URL, and saved it to UserDefaults as a security-scoped bookmark. When I quit and restart the app, I can resolve that blob of Data into a URL again.
The documentation says I should call startAccessingSecurityScopedResource(), and check its return value. (That does return true when I call it.) But if I don't call that, I've still got a resolved URL, and I still appear to have permissions to access it.
What does startAccessingSecurityScopedResource() actually do? Is there anything bad that can happen, if I don't call it?
As long as your app only accesses files in standard locations (Downloads, Music
Movies, Pictures) and you included the required entitlements for programmatic file and folder access in your app, you don't need to store security scoped bookmarks for those locations.
But for other locations that should remain accessible after the app has been restarted, you should store security scoped bookmarks and call startAccessingSecurityScopedResource() before access. If you skip that step, you'll get an exception as soon as you try to access that file.
startAccessingSecurityScopedResource() makes the security scoped bookmark's resource available to your app's sandbox thus granting you access to that resource.

sandbox :get NSData using bookmarkDataWithOptions method of NSURL without NSOpenPanel

I enabled sandbox and I want to create data by bookmarkDataWithOptions.
If the URL is created by NSPanel that work very well. But, If I obtain URL without using NSOpenPanel, the bookmarkDataWithOptions method always return nil. why?
thank about If I want to set a special folder default can read/write without using NSOpenPanel.
How can i do?
Thanks
The main feature of the Sandbox is security. If an application could read/write an arbitrary folder without user permission, the security would be broken.
The App Sandbox Design Guide states clearly:
• Simulation of user input in Open and Save dialogs:
if your app depends on programmatically manipulating Open or Save dialogs to simulate or alter user input, your app is unsuitable for sandboxing.
The only way to achieve something similar, is to add a read/write entitlement to one of the preset directories (Documents, Pictures, Music, etc…). For further documentation, take a look at this guide.

Document-scope, Security scoped bookmarks for file packages

I'm trying to create document-scope security scoped bookmarks for file packages. That is, directories where NSURLIsPackageKey is YES. I know you're not normally supposed to be able to create document-scope bookmarks to directories, but I would have expected packages to be exempt from that (after all, I get access to them using an NSOpenPanel which isn't allowed to select directories, but there's no problem there).
I've got my entitlements set up with com.apple.security.files.bookmarks.document-scope = true, and I'm doing a basic bookmark creation call with a file URL that I've just received from an NSOpenPanel (so I have access):
NSError *bookmarkError = nil;
NSData *bookmark = [fileURL
bookmarkDataWithOptions:NSURLBookmarkCreationWithSecurityScope
includingResourceValuesForKeys:nil
relativeToURL:[self fileURL]
error:&bookmarkError];
After this call though, both bookmark and bookmarkError are nil.
Do I just need to give up on this and create app-scope bookmarks, even though I have a document-based app? That seems inappropriate, but I don't see another workaround.
I asked about this elsewhere and was told:
...we didn't implement support for it because it's complicated and there have been very few requests for it.
So that's that, you can't create this kind of bookmark because it's not implemented. I also filed a bug with Apple but the response just quoted the docs at me (i.e. telling me stuff I already knew and had mentioned in my report) before closing it. So, as of now and probably for the foreseeable future, this is not possible.

How do I access the Request object from RazorViewEngine?

I have subclassed RazorViewEngine so I can check for Request.Browser.IsMobileDevice and add a special mobile identifier to the view file name for it to grab. However I can't access the Request object. What should I do?
You can use either the HttpContext.Current.Request or Context.Request. Although understand how that IsMobileDevice works. It uses a browser file which contains a list of known user agents. As soon as a new device is built, that list is outdated, but in some cases may still identify the device to be mobile correctly. The recommended way is to use 51Degrees or to connect to the services it encompasses directly.

How can a bookmarklet access a Firefox extension (or vice versa)

I have written a Firefox extension that catches when a particular URL is entered and does some stuff. My main app launches Firefox with this URL. The URL contains sensitive information so I don't want it being stored in the history.
I'm concerned about the case where the extension is not installed. If its not installed and Firefox gets launched with the sensitive URL, it will get stored in history and there's nothing I can do about it. So my idea is to use a bookmarklet.
I will launch Firefox with "javascript:window.location.href='pleaseinstallthisplugin.html'; sensitiveinfo='blahblah'".
If the extension is not installed they will get redirected to a page that tells them to install it and the sensitive info won't get stored in the history. If the extension IS installed it will grab the information in the sensitiveinfo variable and do its thing.
My question is, can the bookmarklet call a method in the extension to pass the sensitive info (and if so, how) or can the extension catch when javascript is being called in the bookmarklet?
How can a bookmarklet and Firefox extension communicate?
p.s. The alternative means of getting around this situation would be for my main app to launch Firefox and communicate with the extension using sockets but I am loath to do that because I've run into too many issues over the years with users with crazy firewalls blocking socket communication. I'd like to do everything without sockets if possible.
As far as I know, bookmarklets can never access chrome files (extensions).
Bookmarklets are executed in the scope of the current document, which is almost always a content document. However, if you are passing it in via the command line, it seems to work:
/Applications/Namoroka.app/Contents/MacOS/firefox-bin javascript:alert\(Components\)
Accessing Components would throw if it was not allowed, but the alert displays the proper object.
You could use unsafeWindow to inject a global. You can add a mere property so that your bookmarklet only needs to detect whether the global is defined or not, but you should know that, as far as I know, there is no way to prohibit sites in a non-bookmarklet context from also sniffing for this same global (since it may be a privacy concern to some that sites can detect whether they are using the extension). I have confirmed in my own add-on which injects a global in a manner similar to that below that it does work in a bookmarklet as well as regular site context.
If you register an nsIObserver, e.g., where content-document-global-created is the topic, and then unwrap the subject, you can inject your global (see this if you need to inject something more sophisticated like an object with methods).
Here is some (untested) code which should do the trick:
var observerService = Cc['#mozilla.org/observer-service;1'].getService(Ci.nsIObserverService);
observerService.addObserver({observe: function (subject, topic, data) {
var unsafeWindow = XPCNativeWrapper.unwrap(subject);
unsafeWindow.myGlobal = true;
}}, 'content-document-global-created', false);
See this and this if you want an apparently easier way in an SDK add-on (not sure whether SDK postMessage communication would work as an alternative but with the apparently same concern that this would be exposed to non-bookmarklet contexts (i.e., regular websites) as well).

Resources